23542300x80000000000000007983504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:56:54.132{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA841CBDDE3781CD8619C8B23C52D621,SHA256=0142504A7B4313F28BB6006BF1F957B148600B7BE30E36690A20C87AA087ECF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015896955Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:56:54.474{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F03B3629C03C4381851C57C928300388,SHA256=0994EEA878BBFF77DB67AA28389EA538384D3E6400A622E7C1419D19D9683FAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:56:55.491{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51BE8D0EBB9A5DB8E56231C4603EB1D9,SHA256=2D8AF6EB91FB0B5E11B31222BEE3C618D57C032BAF31AC3F2136BBAB296CC773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015896957Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:56:55.521{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C5AFC1DD3C234D774B35E2444557B6D,SHA256=64A56C77F37CC664B5D6D8314BF6416AA6231A2EA1D90E8085EBAC498499BB0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015896956Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:56:55.255{B81B27B7-880A-60DC-1000-00000000C701}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=30FB88726264E146D7BB658BE47F8E8F,SHA256=0C854A6B11690C9EAAFFA46528833B25083535683BBF9D810FFAD80AD6E1C0B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:56:56.850{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F1030F8B6AD6B201688B3CC2066DE94,SHA256=7F18993C9EB1903332930B389E48BBE8AB532CC9389A2B109530880714F32563,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007983506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:56:53.315{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62042-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015896958Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:56:56.568{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9228DE3D199F2E979BE746D44168C74A,SHA256=B849A1493ED12EDD46469D0A14A0663F09C74A96D5622D7CC2DE0BBAD65414AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:56:57.538{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42F7A44F4D2E76E54104427F9C07FE75,SHA256=8C2010397F48B680CF14C3936C41ABC2647CDCF307C9A0FB7446590A2CE72643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015896959Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:56:57.583{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBBBC2F45BDCBDBFC0594CB023C806A6,SHA256=E581F20B533E7595CDF755B69B8A1729E073B40EB9ADC44D4975308F3B272211,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:56:58.225{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE3F768ADF444C96E3B6A0DDE859BA4C,SHA256=A2D4C3C6582A18C2BD5A631D06590FD09FD41419D4473B659987AB16B26E712F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015896961Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:56:58.599{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A8A069F80D64C202EB87CD909CBE053,SHA256=8749C92F61F9ADA5770FAD08E063E0C64EB7F7980C89E424AFDBF776FE674E70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015896960Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:56:55.470{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51799-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007983510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:56:59.585{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3ABFB3A2681B1CF7DC09DA8A4231B6D,SHA256=4259B32DF1071A6C8EC4B154FAD2A33B7EC55DDBF4A5A2A42C7CA64305C147A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015896962Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:56:59.646{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62DF86E9E5205B6AACEA06A228580685,SHA256=16B277DF169EECABBFBBF64AF871EA0AE44D2CE61C5DACCA2136408DABA10288,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:00.960{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A16DC3F79C4796ED7D41884C279B319C,SHA256=3E93A7327581F3386DC2CB3A19E35FBBD9EFBBC4009CF164DF956671B83CDD76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007983513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:00.757{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1600-00000000C801}1320C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:00.757{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1600-00000000C801}1320C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:00.757{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1600-00000000C801}1320C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015896963Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:00.646{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98899A7EAB9BCAACDEB3F0DE05F26F5C,SHA256=A77D5B7387B294C2206F619D73553B1D4C7105D20858CD3666A3DF5A4DC90747,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007983515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:56:58.409{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62043-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015896964Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:01.661{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F326F9EF24F18409212FAB1D88007BB6,SHA256=7E42C885B6033ABA3F16EA8163DFAE96AFF64B8C4B4EF772E6460CEB6E83A63A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:02.319{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6B642E4FA9CEEF90B4533DAB593EB3A,SHA256=CC19527E5AB985EA6F5CF4C35603047A974A12F77A89F55A7B723E623B095701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015896965Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:02.677{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7D1F15F03713FB2FBD46DCD790449AD,SHA256=8DCA0EA7E4241F439D51D87A64F1CD157098E2458C651EB852BAC0FE30DEA17C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:03.694{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02D71EAA9FAC22D5EAE9DEF194AA6985,SHA256=4C5E5748974A5E3278973A9192824B80ED906743C3E383BD967099B82D899156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015896966Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:03.677{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3901E8EF5955567D19463C4EE26CF10E,SHA256=C17C9AD22A892239477D437D766898D7950CE14938DAE5E008E45F2C0A62C8F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015896968Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:04.693{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E04C1EB1028D462386FEA850E37DA83,SHA256=984CD7507283DEE83FFD77C3398B53D4F2A741E7445097D300439ED004C0B586,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015896967Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:01.502{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51800-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007983519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:03.408{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62044-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007983518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:05.069{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03636AE911A357037F8DC1E302EAFF6A,SHA256=D6BD271D67C376FDB93DA953664157B1AD444CA6591C526A3398259B38CEE2DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015896969Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:05.755{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9990E869AA7A1F2BC1E83CC894F51E5,SHA256=F7FB18C2A7F7702870A969A35A6E7577BC5E3201F216B9DCD5BE706421532BA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:06.429{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D3BC1C349B8728C7E2051DFEB324ED8,SHA256=CC5C41717FC99BD805911F2F9F66B8F78E34216A3CF049E1B1B9A39E29D87430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007983520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:06.429{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=059017EDA3156C3E72BEAAED74270A2D,SHA256=363952F063A933EF7699F94FC60081E002CD659675B55E6125FE7C9FC3AD3DD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015896970Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:06.759{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83BE7DDB5CB31CBCF39D2FE948E8FF7E,SHA256=BDAC9541D14655EE80904D42E4749A6453DFE846CED9DA6E30ED73369E493D50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:07.792{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE841C817B2BE622A942046E84FF8BA8,SHA256=892242C986574F29880D8E8885E25CD0450CA3E5E40342C25ADB838A33F1F790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015896971Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:07.822{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60EC3AB0FCE403CA60F9026153B66A2A,SHA256=2A0571D2F64A0D7EB10DB9F100650EBC92E5E13A4E6BB14FA58E2BC7F9CA8BC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015896972Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:08.837{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AA70F11DA939FECC300C806C2DAA84A,SHA256=F20868202C845B92836E7FD427AA476E14782C737AFD0D2D5962F8DAED02B329,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:09.151{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EA78F5D8DF5F77CD3F5FC33630F851B,SHA256=3AAF40C10AA18525E2C0207089BE46583EDF8789E4E5D2842E61BFA6E48F651C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015896974Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:09.884{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C54E7D3B174B09A4A5FD8AA958EC04,SHA256=B037CF0CD42BF07D0D049461F14307F536C8225A97C9B70A625E10BD00D60967,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015896973Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:07.349{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51801-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007983525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:08.443{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62045-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007983524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:10.526{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C5D45D92A788A92E9C43DFE8878D32,SHA256=87AFD5F0281A0E23E1EC74A458F6E6917C33DCEF63FB3D3D4AA7EC5F3EF84259,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015896975Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:10.962{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62719B0D7AB36D41F24CE83759938395,SHA256=7F9B7988A275756E29D01B01CB7BEC903DFDE4FB4DBDCEC265E1BF9F1BB6293A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:11.885{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F69B00CF31F25673C7E737F0D2467E6,SHA256=A54D93071F66D8B3774093566DAB56148F99F28D464B525E010319A30DB48727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015896976Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:11.978{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5485A4208856A98AD103BD74E1C3D77B,SHA256=01217E80715CD8A5C5EE8329D4D376897BDC06FE8350725508E9881405A95006,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015896977Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:12.994{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA4F4F77855AEAE37A0CB11E033EA522,SHA256=17AD8AF19C7B67089A73C961313530DA8465F5133E46AAF07D0698346B2EB307,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007983529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:10.678{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62046-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007983528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:10.678{3BF36828-DD1D-60DD-2F00-00000000C801}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62046-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x80000000000000007983527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:13.245{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF268B521FBD5A76AC7A9AA51B33E96F,SHA256=C8967FE6EC7C71E0099151CAF5E9A41B0377EBD5EC73398FC0A50F07F0678280,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007983586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.745{3BF36828-E5DA-60DD-9E01-00000000C801}38884708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007983585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.745{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007983584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.745{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007983583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.635{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007983582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.635{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007983581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.635{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007983580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.635{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007983579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.635{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007983578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.635{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007983577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.635{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007983576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.635{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007983575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.635{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007983574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007983573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007983572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007983571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007983570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007983569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007983568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007983567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007983566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007983565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007983564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007983563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007983562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007983561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007983560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007983559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007983558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007983557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007983556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007983555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007983554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007983553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007983552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007983551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007983550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007983549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007983548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007983547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007983546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007983545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007983544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007983543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007983542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007983539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x80000000000000007983538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007983532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007983531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.620{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DAE68F864E74C2FC6053430D6337473,SHA256=D76775FC890DFF51E6E7F420556B75161A40AE8E3FE52DBF461789305732AF94,IMPHASH=00000000000000000000000000000000falsetrue 154100x80000000000000007983530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.621{3BF36828-E5DA-60DD-9E01-00000000C801}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000015896979Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:12.396{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51802-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015896978Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:14.040{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7232C2501E80C6B094421E59843B3A40,SHA256=004B26829C41FD4479D7F2FF77EA1CF8207140416773E8E68F5D3CA87385C1EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.979{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4F285AEC54B1D82BAFB610E144A5DB,SHA256=38739AC6D0806577D89560CF87C2EA4841DC1C393B7EFA2895AAE3829507ACD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007983643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.979{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=943C74527786CBBB3E13F5C1A8E1CA85,SHA256=2AC2348CC5B3C48D7FCB083BD5CD8C3607820AE6289CB99FF38B6101EC78B3E3,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007983642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.432{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007983641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.432{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007983640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.432{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007983639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.323{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007983638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.323{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007983637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.323{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007983636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.323{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007983635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.323{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007983634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.323{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007983633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.323{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007983632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.323{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007983631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007983630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007983629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007983628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007983627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007983626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007983625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007983624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007983623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007983622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007983621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007983620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007983619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007983618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007983617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007983616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007983615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007983614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007983613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007983612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007983611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007983610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007983609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007983608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007983607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007983606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007983605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000007983604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007983603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007983602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007983601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007983600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007983599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007983598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007983595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x80000000000000007983594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007983588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.307{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007983587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:15.309{3BF36828-E5DB-60DD-9F01-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015896980Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:15.040{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51AB9BCA413705B232558CBC4C496265,SHA256=E76FDB94EA5FA1DB49CDAC0D21A837EC7999576543BF855F9B9B39626DBF2286,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:16.667{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0779FCFC6E78E0B8DEF7B128B5BC53D2,SHA256=0064AC38AEABC9A3F49A6A2A8AD90953601CC8DBF19B490F75E7D7290C12C68C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007983645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:14.349{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62047-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015896981Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:16.056{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC4A9ECC224F0BCA64B50ABDB9AF1DF,SHA256=00487411C306974F5F1EE52A314F71A1273C2668A9D3E23A27FF7D4A4C69C03B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:17.354{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E3880B810FEA86F7D7199250B31C345,SHA256=1DFCE24484396578229D3BD661C6EC91A0D070987ADC2AE0F63B96F25DC1B1D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015896982Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:17.072{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1AB2842D63F7F1576C2D6086C066B92,SHA256=5DED6B97AEAEDA9912D2206E4EB14EA2397FF82A83CA6B5751BCB1DE15DF57CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:18.792{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D97D6D9D5488FBB91C22FA0FCB9D7B,SHA256=CA3DEF8CBFC73A6178409AD5E6D9D21C07B3535190F2937D7515EACB0985B38D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015896983Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:18.103{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0E25EEAD5A79688F671E279DFD03AEE,SHA256=97CD66A5F0CF090D85196C688BAFE716883A380A1CAACE4174568912FF8878D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015896985Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:17.521{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51803-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015896984Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:19.150{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27CDB20C24BABA942AFEBC2D2226413F,SHA256=3D67B1CEBFD3EFCDB2E8798E5D303DC492E1CA7E6CC3913DC08F06EAB0550C9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:20.698{3BF36828-DD1D-60DD-3000-00000000C801}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015896986Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:20.165{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED398F01D84AD1C38AF1A1ACB1F44659,SHA256=FDE849B4706375378F87D52EC65402DF0A1F9AB481F9F7BC06E3660E4B559C0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007983710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.682{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007983709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.682{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007983708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.682{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007983707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.573{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007983706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.573{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007983705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.573{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007983704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.573{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007983703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.573{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007983702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.573{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007983701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.573{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007983700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.573{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007983699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007983698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007983697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007983696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007983695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007983694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007983693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007983692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007983691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007983690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007983689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007983688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007983687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007983686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007983685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007983684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007983683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007983682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007983681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007983680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007983679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007983678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 23542300x80000000000000007983677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13348E577DC9CFBFD7726663D9A370B4,SHA256=C5D5F5A5786E0C910E77C6AE5E361CF00E269B679FB1D1DA05F893202CCF0CB0,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007983676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007983675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007983674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007983673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007983672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007983671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007983670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007983669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007983668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007983667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x80000000000000007983666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007983665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007983664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007983663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007983662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007983658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x80000000000000007983657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007983651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.557{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007983650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:21.558{3BF36828-E5E1-60DD-A001-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015896987Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:21.197{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CE7BFE751DA6D0871D9A5CD5527AB19,SHA256=FE4B48C92B11926CD8C46F8AE9A119E226A9FCB3B1B80BC2788A5BA82935BD6C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007983769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.557{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007983768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.557{3BF36828-E5E2-60DD-A101-00000000C801}36683576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007983767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.557{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007983766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.557{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007983765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.448{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007983764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.448{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007983763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.448{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007983762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.448{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007983761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.448{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007983760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.448{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007983759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.448{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007983758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.448{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007983757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007983756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007983755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007983754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 23542300x80000000000000007983753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76DFCE3475E4475411FAC781230752F1,SHA256=9F4381C5166DFFE0F548C3EC4C22E59B1443D8D38AEA400B44604341C7A523D7,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007983752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007983751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007983750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007983749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007983748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007983747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007983746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007983745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007983744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007983743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007983742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007983741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007983740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007983739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007983738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007983737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007983736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007983735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007983734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007983733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007983732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007983731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007983730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007983729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007983728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007983727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007983726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007983725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007983721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007983720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007983714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.432{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007983713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:22.435{3BF36828-E5E2-60DD-A101-00000000C801}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007983712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:19.912{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62049-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x80000000000000007983711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:19.459{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62048-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015896988Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:22.228{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02EC00EBA07B22A5FE75CF8D758B8A6A,SHA256=AE6980272B82410F677CC37EA831BA2EF6328025AEE46B4176F1878225402DEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007983884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.948{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007983883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.948{3BF36828-E5E3-60DD-A301-00000000C801}23084872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007983882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.948{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007983881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.948{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007983880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.839{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007983879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.839{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007983878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.839{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007983877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.839{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007983876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.839{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007983875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.839{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007983874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.839{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007983873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.839{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x80000000000000007983872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F0D27E55164960E018E0D573223CE8,SHA256=1E09E7A1AE9D3041454F134394264EA7F81D4BA1165CE7567A1DD4AA21C1EA56,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007983871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007983870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007983869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007983868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007983867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007983866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007983865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007983864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007983863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007983862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007983861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007983860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007983859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007983858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007983857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007983856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007983855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007983854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007983853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007983852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007983851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007983850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007983849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007983848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007983847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007983846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007983845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007983844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007983843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007983842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007983841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007983840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007983838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007983837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007983835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x80000000000000007983834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007983828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.823{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007983827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.825{3BF36828-E5E3-60DD-A301-00000000C801}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007983826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.276{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007983825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.276{3BF36828-E5E3-60DD-A201-00000000C801}48044820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007983824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.276{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007983823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.276{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007983822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.167{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007983821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.167{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007983820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.167{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007983819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.167{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007983818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.167{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007983817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.167{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007983816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.167{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007983815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.167{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007983814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007983813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007983812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007983811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007983810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007983809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007983808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007983807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007983806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007983805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007983804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007983803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007983802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007983801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007983800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007983799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007983798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007983797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007983796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007983795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007983794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007983793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007983792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007983791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007983790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007983789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007983788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007983787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007983786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007983785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007983784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007983783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007983781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007983780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007983772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007983771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.153{3BF36828-E5E3-60DD-A201-00000000C801}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007983770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:23.151{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B03DA5AD199BC945FFF4F144360ED6A,SHA256=EDB42EFEEEA5E7730FC5D52E451B196893B8831E2305F8D84B12C3D46B07D3E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015896989Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:23.259{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE78D528253AF4D3C3E9AF20469C0685,SHA256=2FF58C070E53730EEBDE7F4EA1C38D097A8BCD74F6CC23DBA962BC9A3B48DFF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007983941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.636{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007983940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.636{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007983939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.636{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007983938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.526{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007983937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.526{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007983936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.526{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007983935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.526{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007983934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.526{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007983933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.526{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007983932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.526{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007983931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007983930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007983929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007983928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007983927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007983926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007983925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000007983924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007983923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 23542300x80000000000000007983922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B681EB94A17F5C4A84E684C5A91DD067,SHA256=A80834F4C5C1A065257846E131CF4DE0263C8BE481FF9172A1EDCA7A38FBE128,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007983921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007983920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007983919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007983918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007983917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007983916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007983915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007983914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007983913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007983912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007983911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007983910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007983909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007983908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007983907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007983906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007983905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007983904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007983903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007983902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007983901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007983900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007983899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007983898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007983896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007983895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007983892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x80000000000000007983891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007983886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.511{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007983885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:24.512{3BF36828-E5E4-60DD-A401-00000000C801}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000015896991Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:22.568{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51804-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015896990Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:24.259{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C3C0DCF236C9CD4E65B9D91CAC4B692,SHA256=613618893ABB46D699BC40B6314E6714A487B9D574F7AC4CE68ACEEA3948A888,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:25.948{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09A068CB77EBB7D06AF090842DB10B5D,SHA256=F650A1370EDB0132997666058F05066A9D9364EB85C5224139997EB5E770FD4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007983942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:25.261{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3600F214A2495B7ECC030EA828E1C02E,SHA256=358C41F10B581D23301FC5E7C5C89E20E0C0AB560B65355985C69A68FB0435F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015896992Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:25.275{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=298F21CEC8BCA9E0148B1F800BC07964,SHA256=135779257BCDCA015171679B02D8AB514BAE7D42EE85F5A0BE51C1F0F408514B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015896993Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:26.290{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C30B551FC7A0C3930B668A50C53ADE33,SHA256=AEC3059F4CE05022A6EBFC19F4118325E7CBD151266B95BC25B16A5CB052852E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:27.464{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A4FEDBF3352BCF1579B889BD8EA0EE,SHA256=ADE369938CC2CA25C4EA3D0153AB1F72D023C497E151B5CE1CE7685538B6E095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015896994Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:27.307{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38C69797AF27B59A80D308822E7DFD4A,SHA256=5784E3E440FF07DA244D8E15681722CFDB3CD4CE7F67E6973F9B410685744590,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:28.949{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3E600A78EBD397BC4AC2DDEC0A2F5A0,SHA256=6AF5C6494D645C7BF0A30DD8913DE5733F417AB6A9FE0326B8FC6FF48C2ACAA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007983946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:28.949{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18C4708BECA6F6E123F6B25E26C58057,SHA256=A1B2A52A2165E17AE123C63D53AB37498930ACF48C01C68C121A76C6C204DA67,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007983945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:25.286{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62050-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015896996Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:28.322{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4DB1DA0D5148DFF9D5F3F2A7004E960,SHA256=114A5705FC244BDCC0BB346BBFB27D39B769D440F34429261C88F5C6B4C46368,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015896995Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:28.197{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015896998Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:27.490{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51805-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015896997Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:29.353{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96A79F0C16D98E918DDD9B83D10956CB,SHA256=7CB884CA29495DBE0926785DC1117E72FE2C48EDC77AF99EDB11E8539DCF88A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:30.324{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69CCCA348986F582AE9D06478A25DABA,SHA256=9409FEC0E9DFF11D22A1FB0DAD2662D34C2C946625D2799EAB2ABC9F2A481F2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015897000Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:28.365{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51806-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015896999Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:30.385{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20746916F4A073C0852132485178B976,SHA256=C01DFBC1F4D8A012843965199D224891FED09686C89A1D779DB62178802F310B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:31.683{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0ADF75B0F3557CECD0C4E021272091,SHA256=966CE00F3409DD7F733237E348B94B00566103743001CAE4F4FDB95F2A8B3E39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897001Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:31.400{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB09F0B246E462791DF7E66ACCE028EE,SHA256=96C08C9D9D07CCCB71823BC6B471F793E5F73624AF9C409800748FEC561B1733,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007983950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:30.303{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62051-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897002Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:32.416{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E5307799A1EFFCE11884F8FF7BB699F,SHA256=D0271CFFCBCE283D5B7F0AA851DF39F5045788CBECA0689D0D69FE41D6998E62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:33.058{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78E0F92A5D54FD0B175C28C3493303EA,SHA256=2063DA7F2D134B63345B359B33D0E853BED5B412337F83E164EF72FE7DAB2D80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897003Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:33.432{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75437ABE33F2536B29A27319C4430693,SHA256=D5701AF6FE42B2FBAE524C84DF2A25A682347028E5C5784927469147E377B13F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:34.418{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2808950FFAF341D9291DD2DE4CF502BC,SHA256=D57FF2D5E3D5C565CCB29C2B84BBBC9E0E1EB19D2D7AECAA3DBFBBD93FE87DA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897004Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:34.447{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71F1293F91CDF1E7380B27E69D9D9861,SHA256=012FA759EBD2A92278C3AEB7F774982FB3AAA5A1845B3C5B219182BDA299E12F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:35.841{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=337970BE6F3564B4FD35AFB569702BBB,SHA256=22961E79BEAA0F386FF13D741BE24C95711C79A514AB4EF7292740706E23E4EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897005Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:35.494{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2C518C5A48FA6D4028BC690C8F30D7D,SHA256=EF9E8A7E509F15B5324450FBF36EBEC56F7A8B364BDC81DE7B628BB6FC287648,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897035Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:36.697{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F20181CA5E634396D529163E9ACA62,SHA256=501EC11E04C6900535A2AB06C7C549096DBDEADF8EB0593DDA021E699C0B1F56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897034Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:33.475{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51807-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000015897033Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:36.088{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897032Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:36.088{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897031Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:36.088{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897030Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:36.088{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897029Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:36.088{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897028Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:36.088{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897027Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:36.088{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897026Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:36.088{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897025Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:36.088{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897024Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:36.088{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897023Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:36.088{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897022Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:36.088{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897021Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:36.088{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897020Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:36.088{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897019Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:36.088{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897018Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:36.088{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897017Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:36.088{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897016Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:36.088{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897015Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:36.088{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897014Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:36.088{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897013Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:36.088{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897012Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:36.088{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897011Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:36.088{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897010Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:36.088{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897009Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:36.088{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897008Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:36.088{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897007Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:36.088{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897006Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:36.088{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007983956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:37.888{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A6AEACC7FDD78E2F810CD436302D803,SHA256=1C9E3F047D9374A44B835B3D97EE2B820672BAA18AEA714A2B337893E30AF875,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007983955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:35.398{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62052-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007983954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:37.198{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC0ABFAFD0F85FDCAA17BD6DA65CA6C8,SHA256=1705C90B2989B610154CD6CF8FAEC5111260BC759375C2C776EF52EDFAB660AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897036Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:37.822{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A61A7AC5E2206A3D4867251FC8ECA480,SHA256=A970C064E420BC93DEB39B608B2752CDA35575C17992D75AF8E5F0E93E2B43DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:38.560{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3CBEDA5DEA4F548EB943F6D2E95AE7,SHA256=46515285F3335AD4BA2004018A2FB01ECE560A05D1EA9D7FAE07F31612ECE124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897037Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:38.869{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=386212A737C1BFE544B349BF476C9F88,SHA256=C9A82749D97A4646D2BC9CC7059592D561DB316BA9B4DC60B17AEE0626BA9F47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:39.935{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=217DC0D4A0C0FAE8F68BF0D090BA2244,SHA256=5292836208C8045F644ADBBD50F1203FAFA7003C046BE68B617A29DF52E69BE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897038Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:39.885{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E2EC58010596F177BCC87F5F5E9F60C,SHA256=B94C9474B4C6E4A0F9A1C24218B6DCB02C175CDA5239046CDE492ACFB3A72235,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897039Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:40.916{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F0627060BE37B4C7B89A9575931C68F,SHA256=7847498671C3134FC840E6ECF42213F243FCA27E6523CE902987E6497C17F5DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:41.310{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F20C74D777CABFBD127C67EB0CC9EAD,SHA256=7854DB8C97111464C64B9913B3B572F6E7F641D0826B25F2FF66BAC7FD0775B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897041Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:41.932{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A2139EB03D2634891B9C83A989FE2C,SHA256=1F87E3C974784F9A7E3D539894E57003C2E837737D564262CDFF744B72E74991,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897040Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:38.491{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51808-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007983961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:42.685{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99D7EC11DAED9F278729083F32DF29CA,SHA256=C15D91B67265319EE9C3CA92F48011771B3D2AD5622853867E8C9A2F0262727D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007983960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:42.294{3BF36828-DD0D-60DD-1200-00000000C801}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3170B581EED1D73478819DC90D923A84,SHA256=50F5F711463FAE3F1ED51838CD17120E21412C4F12314EDC84C83E1E5CACAA22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897042Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:42.948{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C07DFBDE82D0C9B25EDFB42CB50FFC43,SHA256=6907CD6EFEEBAE14C7C58C1EE9D1E495940404C1E309D7D56D415AD6FA02094E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007983962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:41.413{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62053-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000015897069Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:43.527{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E5F7-60DD-E629-00000000C701}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897068Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:43.527{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897067Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:43.527{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897066Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:43.527{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897065Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:43.527{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897064Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:43.527{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897063Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:43.527{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897062Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:43.527{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897061Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:43.527{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897060Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:43.527{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897059Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:43.527{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E5F7-60DD-E629-00000000C701}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897058Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:43.527{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E5F7-60DD-E629-00000000C701}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897057Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:43.528{B81B27B7-E5F7-60DD-E629-00000000C701}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000015897056Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:43.277{B81B27B7-E5F7-60DD-E529-00000000C701}10122328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897055Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:43.027{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E5F7-60DD-E529-00000000C701}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897054Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:43.027{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897053Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:43.027{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897052Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:43.027{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897051Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:43.027{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897050Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:43.027{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897049Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:43.027{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897048Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:43.027{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897047Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:43.027{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897046Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:43.027{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897045Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:43.027{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E5F7-60DD-E529-00000000C701}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897044Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:43.027{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E5F7-60DD-E529-00000000C701}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897043Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:43.028{B81B27B7-E5F7-60DD-E529-00000000C701}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007983963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:44.044{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B77D16A540C9F7292824A3CA40188E,SHA256=34387E37D134ACE56E82A93DBF392E611DE8EB9EB91BB2EF93C546BFAC8B80E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015897085Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:44.165{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E5F8-60DD-E729-00000000C701}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897084Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:44.165{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897083Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:44.165{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897082Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:44.165{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897081Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:44.165{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897080Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:44.165{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897079Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:44.165{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897078Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:44.165{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897077Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:44.165{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897076Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:44.165{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897075Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:44.165{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E5F8-60DD-E729-00000000C701}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897074Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:44.165{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E5F8-60DD-E729-00000000C701}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897073Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:44.167{B81B27B7-E5F8-60DD-E729-00000000C701}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897072Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:44.165{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB85A195B6C09C0642FDC76049685D54,SHA256=60F146C220B9330678F66C68B86F604B50E5D03ECF6CAC22AB7CEF2C9A6C942D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897071Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:44.165{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38982B887AD8EC585C5B1BCE35C4C54C,SHA256=662978ABF633E2600AEC8EDE2DB6F4DCBE0FA3FAC4E0DE4EDAD896627A493D11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897070Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:44.165{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1196878AEE60BDDA1652053171FF7F24,SHA256=09305AE498B3F868926DE7CEB61BBDE3917C45705B0BCE27A02B967ED085FE0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:45.419{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DC1E7856EF4D1DA6284FA1B02D58238,SHA256=9028F46E5AE5808F53EB11445F081C7CBF7C7699D4459B8FFFAB34D53723B349,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897087Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:45.183{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F4D26B3BD8B0AF40D73A0B949DE97A,SHA256=043BC156D8E97FEA143C65A4BCF63837E27215F9C1E3E38E19661C9728BF452A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897086Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:45.167{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB85A195B6C09C0642FDC76049685D54,SHA256=60F146C220B9330678F66C68B86F604B50E5D03ECF6CAC22AB7CEF2C9A6C942D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:46.778{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED74F084F5B4FEBF85030E03F2CAF051,SHA256=E943775A943A601D85F3964B8A9822F1FBEBD427A0EB12E79AD662D378BE47BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007983965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:46.778{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A364FD7649B80085BFBED343722DC713,SHA256=69B0EFBD88A8747008B4706B17D036FA7C8AC62F86143F295D7A1F9B58D56D8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015897089Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:43.504{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51809-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897088Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:46.199{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26DFBA980B9AE8C22E1939D4EF118C75,SHA256=BE0E969E4E07932DB4E8D6B321A72AB910D8948376F48F81BF43B50AE78735CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015897104Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:47.624{B81B27B7-E5FB-60DD-E829-00000000C701}18043176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897103Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:47.483{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E5FB-60DD-E829-00000000C701}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897102Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:47.483{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897101Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:47.483{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897100Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:47.483{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897099Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:47.483{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897098Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:47.483{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897097Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:47.483{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897096Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:47.483{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897095Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:47.483{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897094Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:47.483{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897093Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:47.483{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E5FB-60DD-E829-00000000C701}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897092Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:47.483{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E5FB-60DD-E829-00000000C701}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897091Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:47.484{B81B27B7-E5FB-60DD-E829-00000000C701}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897090Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:47.218{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A62AD39C2904E27A2842BA7CB846266E,SHA256=3A06122EA4DBF46E6889527C05B752532133524414C5E3436A35F3051D74AF74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:48.141{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D94118D26DEBE3CE20A6189AF6E6911C,SHA256=C1B33B369770A1704DD78BAEF240B786597C321E823220F83EB987E86E49C856,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015897134Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:48.843{B81B27B7-E5FC-60DD-EA29-00000000C701}31045484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897133Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:48.702{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E5FC-60DD-EA29-00000000C701}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897132Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:48.702{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897131Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:48.702{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897130Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:48.702{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897129Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:48.702{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897128Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:48.702{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897127Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:48.702{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897126Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:48.702{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897125Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:48.702{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897124Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:48.702{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897123Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:48.702{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E5FC-60DD-EA29-00000000C701}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897122Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:48.702{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E5FC-60DD-EA29-00000000C701}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897121Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:48.704{B81B27B7-E5FC-60DD-EA29-00000000C701}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897120Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:48.702{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65BEAC2C21147D209DCD4A53BDBDACA2,SHA256=76AC003AE88A82E288E74BFFD89F617AF3E6C2B7DD7CB2EA7B6DB2EEC6FD95DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897119Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:48.702{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36B9D4BE4515B8400B0BF87FF2E5D67B,SHA256=D771B5D31FF6B38BEFF9D9F48A42DDB7210B8F1E7F611F6942EF408C7C0699F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015897118Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:48.296{B81B27B7-E5FC-60DD-E929-00000000C701}27601752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897117Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:48.155{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E5FC-60DD-E929-00000000C701}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897116Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:48.155{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897115Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:48.155{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897114Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:48.155{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897113Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:48.155{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897112Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:48.155{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897111Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:48.155{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897110Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:48.155{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897109Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:48.155{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897108Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:48.155{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897107Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:48.155{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E5FC-60DD-E929-00000000C701}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897106Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:48.155{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E5FC-60DD-E929-00000000C701}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897105Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:48.156{B81B27B7-E5FC-60DD-E929-00000000C701}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007983970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:47.448{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62054-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 13241300x80000000000000007983969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 15:57:49.641{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d76e91-0xd78da4a7) 23542300x80000000000000007983968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:49.516{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=066E2594EBD9D39BA9894649653EF29A,SHA256=640ECD2C13526292CE8133FDF00A2A630AA52AD26B6A36C4960DD1B3D395D37E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897149Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:49.733{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72EBD0E3F7AC6540FE90AF577224F51B,SHA256=C40D380196E7B72141F2609E84775C9E5166CAD1A2B332B7AD89ACD2EE43AA06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015897148Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:49.327{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E5FD-60DD-EB29-00000000C701}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897147Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:49.327{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897146Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:49.327{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897145Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:49.327{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897144Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:49.327{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897143Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:49.327{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897142Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:49.327{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897141Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:49.327{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897140Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:49.327{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897139Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:49.327{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E5FD-60DD-EB29-00000000C701}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897138Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:49.327{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897137Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:49.327{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E5FD-60DD-EB29-00000000C701}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897136Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:49.329{B81B27B7-E5FD-60DD-EB29-00000000C701}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897135Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:49.311{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6177AED644C1360906D6BBD8C8144391,SHA256=751485B2989FE8516DEE13EC639991AB9F080793713F8B8630A856EC59AAF57D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:50.875{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D86BAE48A18FD11EF7C3CDFED33A59CB,SHA256=3DC70E867808D901F431FCADB94C619802DF7B9912D96C302D739E451975778B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897150Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:50.327{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83123D6E52EE8901625CE475390A0B63,SHA256=8EEFAF1694C7BEA6E64FFC3C0E718E4190C214FAB11712D4E5267D7CCF2D4454,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897152Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:49.526{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51810-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897151Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:51.343{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C81A9CC9ACD9C7A9C69BFE1455DC062,SHA256=6B9DB801B7C43884DAE19E827E8ACB7B74BC98CF625D80A0EAFED1BAB77B30F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:52.907{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB0858F8328CA5F4ABD4EF25DF2C58A,SHA256=C5DC4EA4F78CB300D18BA9084AF0F39AC1D5E86162E48901AB4251747A8768ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897153Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:52.374{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0F1100C24A14C528BEFA8EF8705D9A7,SHA256=B881017957C5DD2BFBDE5F061938674C0F97B5D1FD50E852379CC520F4EB6EED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897154Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:53.405{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=721E6B9812DAA57E2916C73E2A35D3A1,SHA256=25FB4D6122C1D2F8D11EA98485885D4C093C7EA1D6651FBDA3C1D54257D32AB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:54.235{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20401D2D93E236FF982DBE750B8D8E67,SHA256=A764216889B5288362D4E28762CE9E2A453DC14312033415BFB07ACFFF65EA4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897155Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:54.421{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5A0B441CE54445D5F123536CD0852D,SHA256=C899FF72FEE8C848A2BEC45DBD628295AE90E1B056373AA4E4D218A06B12B8F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:55.657{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F4E4CE33A0C9D79668C5C67E7EF967,SHA256=EF73457FAD36D0515CA8B51E915EEC0A5C76DDC66085CB1614DB7B4E5129E71E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897157Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:55.468{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EBAEAA7B6B4710D01BF9295551435ED,SHA256=F4DE7B1660C90DC44FF5FBAD1FB8806B891EF2E45A9191EB4178E75DEAEA7504,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897156Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:55.265{B81B27B7-880A-60DC-1000-00000000C701}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B76B92F558A18C78AF55E4AD71B9A819,SHA256=A32EF461E3EA0BC9609FBBB224800FF7DDCCAE993EFA3D4A261F948FB1D84564,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007983975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:53.338{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62055-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000015897159Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:54.557{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51811-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897158Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:56.530{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E5E6F00843649965DF405CF6E76BADA,SHA256=A6463F4C6AA320BA6671DCAD2BA602023F5215B2CCDCEF1EA47AB8028D630A37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:57.032{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6490DEE2719F708C6D460EE187D32E9B,SHA256=74AFB56A39A6C6627831B801632506E441A7F6E04DDE51C2D818659B5C1734E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897160Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:57.562{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BF711163690D8BFE026FD3566A7C587,SHA256=5DFCF4A7664A073E2EF495D3A07E4CC71DBDE3A8A8863ED210F8FDFBCA10B0DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:58.391{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9882385FC8B578E6412B50FC24E98A00,SHA256=084371F0A67B0F522110F3A9A4F5E1BC53AC0C35F63D56A8E50E9A2F2E712151,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007983977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:58.391{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F1EB678AB39C741E40672CBEA37228,SHA256=6AFC17CEDB614E630158C786A452B1311E856B1A1F5B567A6C6D59640A0C3B79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897161Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:58.593{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A9C68096963FF6E9B27BE94B5B41D49,SHA256=BB0929CD19E1E3C053E872D9D8248AA1BDB4EC8E0AA24B62E7BE60EA1E50A23C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:59.751{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F6B0DB1B7536982312150AA90455AEE,SHA256=9DB1824547EA5F7AA2AA6D1CD7657B85C769F2729FDC1EA9248745D48564AFD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897162Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:57:59.655{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E0CB620C95C9A57E0BA514A23989BF1,SHA256=6ED1CB97F16E1AC75AE39679E96B21383A48BD00784A725081E8599EBEAA89CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897163Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:00.671{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A305674C4B4B425FA6582B7351BF6185,SHA256=F12891B647E1E24F88E7E85371BFDE2EC4F2B5A841EC9874DCD4B763E4EE7F79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007983981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:57:58.432{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62056-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007983980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:01.125{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=243A8E652F71C28CEB8C57C2DD2F57F2,SHA256=85734B50240AA36B679D472337D568913C42069A2A22538916FCADF63A22A37E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897164Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:01.702{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BE5BA4EEDA3013C6C425887CCBA159,SHA256=B364B831BC6D3881BA1004830B7A5AA84F838B8FE4B0C8735C6EB99D183A608F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:02.485{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAAD850FEAFA9BD49F6CC1DF27C820D5,SHA256=9CDCAEBBA5896E46EAFCEAA22D41579747CD2296177E9C6A96E42EA734F6603E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897165Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:02.733{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBAD8C2CC8FCF1302D2BCB8F02E9FC09,SHA256=CE716DC76F5C1CCBCC5CE9508618E92BC09AB7EDD884B85C8ACE02E4CA246B43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:03.844{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D185C3B8D58E110A62D9C57A714B180,SHA256=114845C39730A72FEF33CDAB0309F192E5F7632C934F3B90950B508178881744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897167Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:03.780{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=650A105C79D6DAB227954111F9F5EC18,SHA256=3FCF64ACF31A7B23AF243CA1A6486966A5F356C219BD7D93271C9A2EE1DE26A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897166Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:00.370{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51812-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897168Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:04.811{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=379401BBF8D36A1ECCDF85B77823729E,SHA256=A891EE542C0644E7CEC3A70AFFA7594CAD8B848FF5FCA1CB24939672F39D3A3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:05.204{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70B6674F2586F0D93F7944C2C42C0211,SHA256=5B1FB249C4C70647C2465BA7C751E701CCA41F5A11D8A6515BF88567EFED239E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897169Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:05.858{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22A43A4242D3CDEEE33945D634F7E51F,SHA256=5799F5A5B3D607E9A6125F17190F04834820024322FBC0423529D89FD56A0BC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:06.579{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA7FB965899E275ED86DA58FA46305DE,SHA256=61B82CDDC62DE0336576137932AFB2632A8AD77CFE8F0CA664D22FC0C8A70D56,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007983985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:04.322{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62057-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897170Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:06.860{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68FF9E873C30ABBAC6FE31132A6CAA95,SHA256=2384FFC7E0F89E1EB90EDA0BA25DEBFFCC93354648D14F4613230948C760D44A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:07.940{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE110E964650CA5C5776089F5D2DEEE1,SHA256=E98E0ECF706A20A54CC1023E58F874025B44B8E0F7FDCB560373D2AF1E128D1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007983987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:07.253{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A26E0CE3F04E1E438E92EAA82016798F,SHA256=C92BDC47CEA222227D998C3858B665FF463CBA53A37D18795F726792BA617B61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897172Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:07.923{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2BE88111AF16BC491C2944419A4B73C,SHA256=E7FF75FC398D0546B806A04EC54E1321328786EC4469EAE6DEA343F85E42F2DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897171Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:05.432{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51813-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897173Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:08.939{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FEBC0B8EDB1BC6CC78C0521F03DA8BE,SHA256=E13FA345E99C5386E402FAA5CEC784ADAF39953F1FD493A7C6685A812F9072C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:09.300{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BAF2443FB4ACD4A80F534BD80CE8121,SHA256=75FDFACACAEB4F6929FD069FA15F427C95EC77FC9A29289B3688DC29894439CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897174Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:09.985{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BEF183DA6A84681279C0FA25A5E84D7,SHA256=348E6B7DE1E40B2A6B5DDDEB5D913F6F6A79A89CEC44BC0CD8C621EB809B1B01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:10.675{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2D10BD43A7321CF46B82B8277FD9815,SHA256=4DB614F288E8711E4C744662C957AB9D8E7697033FCA63108CF980F1E2333799,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007983991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:09.371{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62058-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897175Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:11.001{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E69E2D1AC173630500B45F002293E2,SHA256=99B5CE7F8572D835DC6453F86C8E51F31288412B4F036A55E95209A0F7C9C407,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007983992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:12.034{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=401361600C3EAD8FD0A1FDB5EF9A68D3,SHA256=2CC5A481FBEFAB40EEC5CC9753A79F6D049CB8190A20C5816B09637C4D090E5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015897177Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:10.434{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51814-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897176Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:12.017{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88C608F396553D712F1748AB70E01EDD,SHA256=E17B2EA9EBF606E16F69F1C69F18CFA75246D8155111B5CBACC89860C5D9FAC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007983995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:10.684{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62059-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007983994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:10.684{3BF36828-DD1D-60DD-2F00-00000000C801}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62059-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x80000000000000007983993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:13.393{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C23A95693C1F714A856376F7FA46E35,SHA256=0403DACFFD0A0C933C0F4AA5C8F5ED5B5F101AC35ADF00335E527490493E34D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897178Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:13.032{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D5262B522D035C4EEB5DF84F559FF81,SHA256=C0FDCE7808B185130633BA74D8CD48A184B4409DE607586F2EA249F459CAA16B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007984052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.893{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007984051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.893{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007984050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.893{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007984049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.784{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007984048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.784{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007984047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.784{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007984046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.784{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007984045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.784{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007984044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.784{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007984043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.784{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007984042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.784{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007984041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007984040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007984039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007984038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007984037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007984036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007984035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007984034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007984033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007984032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007984031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007984030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007984029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007984028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007984027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007984026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007984025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007984024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007984023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007984022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007984021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007984020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007984019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007984018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007984017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007984016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007984015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000007984014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007984013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007984011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007984010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007984009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x80000000000000007984005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007983999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007983998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007983997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.771{3BF36828-E616-60DD-A501-00000000C801}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007983996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.768{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA4F6F02FFA87F9E6A1FBDF2B7FDD8F,SHA256=A476E1B14716C997C17E5A9AFA68545B2C75B10157103F492A95C6F0A0148504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897179Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:14.048{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04EEB3F88C2452BF1A2D92BCF164827E,SHA256=516B71B9DE45944C83AC9A3B6A7BD0EB604F95D9D68B3738488CB4DC84AF963B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007984108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.581{3BF36828-E617-60DD-A601-00000000C801}49922504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.581{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007984106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.581{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007984105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.471{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007984104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.471{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007984103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.471{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007984102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.471{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007984101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.471{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007984100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.471{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007984099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.471{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007984098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.471{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007984097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.471{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007984096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007984095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007984094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007984093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007984092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007984091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007984090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007984089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007984088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007984087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007984086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007984085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007984084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007984083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007984082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007984081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007984080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007984079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007984078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007984077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007984076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007984075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007984074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007984073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007984072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007984071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007984070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007984069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007984067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007984066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007984063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x80000000000000007984060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007984054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.456{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007984053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:15.457{3BF36828-E617-60DD-A601-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897180Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:15.126{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B5C6B998369B6757FCFA475E2666841,SHA256=EFEB25184BF5BA2D384754A70A894B9DF689E49F86682550C8BECFAFF1D34327,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007984112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:14.371{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62060-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007984111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:16.815{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B10516AC5E2A23A30CB183F849742AA1,SHA256=160992EEEEB52A26C261BD258CDCBA857A753F9FFB923163E68FF99B9B585638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007984110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:16.143{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F222459F3EAC8451BB3C7549C58FBCB,SHA256=06D4F99C49919953BC82FEAE13D9E4615B63934977489AF9AFA7185F2BD45A62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007984109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:16.143{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1500596BB6AE54DCCC5F15D00100BA99,SHA256=6F6F9C129DB55ED3C141A980C100B1CB45E5FB7261228ED7637219C3B441F026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897181Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:16.126{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39FD852AB71A4FF1EF00B6B734A106DF,SHA256=3D7427F1A59BF7E254ABDAB519A5A634FE03756DD2EA2DFD656C18C015CE671C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:17.503{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=239728677D24687C69D5205A362DEB6F,SHA256=55FA2287C4A95FE45967EB28899DFE51EF1C693A5B47D21903713A0F93DBD08A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897182Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:17.142{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB02C37248655E82C648E2B2669C1842,SHA256=7F9CBFC0C59E55EDEFABE55B16D5D2B778DE73059DB25F9E01DFA9A069A87D37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:18.940{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95D19E74DE053C538248B7D9FB6E16CB,SHA256=CA1B4FB1251C1E478DA218C58243A6ACB26A28AC3226291A32685A5B04105AB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897184Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:18.157{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41D0C7D6460F6FBED835F32A5453A9B7,SHA256=19EFE0DF81E10BBC067B2C8218519E824876F6263F7018D6E9293C850E14F335,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897183Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:15.450{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51815-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897185Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:19.189{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A16B091B9D1D2A6880386C7B6F045AE8,SHA256=41845E87691819BB51EDB21BE123AB319DAFD394A4D3D5513198EFF92B0CB831,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.722{3BF36828-DD1D-60DD-3000-00000000C801}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007984175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.503{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007984174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.503{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007984173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.503{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007984172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.393{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007984171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.393{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007984170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.393{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007984169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.393{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007984168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.393{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007984167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.393{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007984166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.393{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007984165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.393{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007984164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007984163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007984162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007984161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007984160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007984159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007984158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007984157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007984156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007984155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007984154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007984153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007984152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007984151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007984150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007984149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007984148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007984147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007984146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007984145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007984144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007984143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007984142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007984141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007984140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007984139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007984138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007984137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007984136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007984135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007984134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007984133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x80000000000000007984132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007984130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007984129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007984128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x80000000000000007984125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007984117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007984116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.380{3BF36828-E61C-60DD-A701-00000000C801}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007984115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.378{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F34CC2541BE17237B6305DC2B5652C35,SHA256=1DE99D71D45B6EEF2D92E0737828DE4B1217C4A543CDFF52AFE4ABE38A76DF91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897186Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:20.204{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3AECF78F17CF4F625BE091187BB99A7,SHA256=17156D5868F335A118BD454EC06BAB218150897087AE59E9C339A6B77967A5FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:21.737{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFCCA21C1A2303ED8E4D8CC84BF7A816,SHA256=527E2716A4D3FBF1078271C774B1BE1EE53343F1BC87A302B7333BE2876424E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007984177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:21.065{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1F9B2F60377552609025B4FD111400C,SHA256=C28ADF8F9F7779F69F63370B690AB9AFD9C7140553BC85F145DE2192778D644F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897187Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:21.220{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EAECB75749C075B738F141637A5A76E,SHA256=63D88908466F7B6BD791598E1465030C0AA4A439ED3883FE3F492BA525F15789,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007984179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:19.933{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62061-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015897188Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:22.235{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC15BD3BE4BAE294DCEBB033FED206EC,SHA256=316CFD072D1DB5E46157C4E3A4AD9EF49566BD9FC4C615BE14FBBA3AB314D192,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:23.768{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55202BDF7A1E782B1A53404955DB396,SHA256=F4E1B431FDA5870A347904DA0A353BAB4CE9D6F335C568D139759AABB15BCEDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007984180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:20.277{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62062-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897190Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:23.251{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403B73001C26654E6DEFC98735AA9BFA,SHA256=49BBF87E114AE78BA0BC830747DA59B9B248AA583EACF7FC5302A5D5DD6066C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897189Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:20.513{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51816-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000007984238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.893{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007984237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.893{3BF36828-E620-60DD-A801-00000000C801}21922244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.893{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007984235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.893{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007984234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.800{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007984233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.800{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007984232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.800{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007984231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.800{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007984230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.800{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007984229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007984228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007984227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007984226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007984225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007984224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007984223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007984222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007984221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007984220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007984219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007984218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007984217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007984216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007984215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007984214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007984213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007984212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007984211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007984210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007984209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007984208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007984207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007984206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007984205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007984204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007984203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007984202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007984201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007984200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007984199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007984197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007984196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007984194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007984190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007984185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=888936E84175773883E6912028E00248,SHA256=6204C660F5FBE09580895D26AAAEB2B20A911F1741CD44003F5CB022478FF5DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007984184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007984183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.784{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007984182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:24.785{3BF36828-E620-60DD-A801-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897191Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:24.282{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=000A1FB929FD658BF3715D07590C2B8A,SHA256=B1B3FC286A24DCC7C0AC7A7FF2098F03274ACBF23942815EB818D963E446F6B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007984292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.925{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007984291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.925{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007984290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.925{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007984289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.925{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007984288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.925{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007984287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.925{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007984286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.925{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007984285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.925{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007984284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007984283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007984282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 23542300x80000000000000007984281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E9350BD61B0284069BF6A25E570A110,SHA256=1BC44FFA30096C203833986CC5B46D8A1EF8D5E50DAEE3356142128E35BCD1F4,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007984280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007984279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007984278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007984277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007984276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007984275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007984274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007984273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007984272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007984271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007984270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007984269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007984268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007984267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007984266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007984265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007984264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007984263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007984262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007984261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007984260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007984259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007984258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007984257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007984256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007984255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007984253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007984252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007984250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x80000000000000007984246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007984240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.909{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007984239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:25.911{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897192Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:25.298{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E63656FB1ED9B70581F3847A5D2834D,SHA256=91EE372CD4F9187A62B39395FCB5F0D37FF2C6B583097F7B34311B22763CB840,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007984352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.737{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007984351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.737{3BF36828-E622-60DD-AA01-00000000C801}3328932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.737{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007984349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.737{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007984348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.628{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007984347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.628{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007984346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.628{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007984345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.628{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007984344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.628{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007984343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.628{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007984342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.628{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007984341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.628{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007984340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007984339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007984338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007984337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007984336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007984335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007984334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007984333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007984332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007984331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007984330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007984329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007984328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007984327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007984326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007984325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007984324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007984323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007984322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007984321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007984320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007984319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007984318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007984317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007984316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007984315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007984314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007984313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007984311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007984310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007984309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007984306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007984298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.612{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007984297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.614{3BF36828-E622-60DD-AA01-00000000C801}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007984296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.034{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007984295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.034{3BF36828-E621-60DD-A901-00000000C801}37401704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.034{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007984293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.034{3BF36828-E621-60DD-A901-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000015897193Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:26.345{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D85E000C332651D8C84ABE9FA537536B,SHA256=F69AB22256ABDD16224D5C4335ECFCAF56090D387F2B5926694EF23A3309108A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.987{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CB7BE2ADA0D0FC9D06602CAFBA4613E,SHA256=8889DDB3C8CD3F8F640CAAF14ED8E263CA1AE682E7B6F33A9B2692AB2D294299,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007984409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.425{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007984408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.425{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007984407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.425{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007984406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.315{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007984405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.315{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007984404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.315{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007984403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.315{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007984402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.315{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007984401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.315{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007984400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.315{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007984399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007984398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007984397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007984396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007984395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007984394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007984393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007984392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000007984391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007984390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007984389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007984388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007984387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007984386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007984385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007984384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007984383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007984382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007984381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007984380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 23542300x80000000000000007984379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF307A424048A55321EBAC6499C8745E,SHA256=E39CD49D2FBCADFD2F1610CB257D6F01AC17EE3E0FD0F199D26776922BEA62AA,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007984378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007984377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007984376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007984375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007984374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007984373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007984372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007984371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007984370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007984369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007984367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007984366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007984364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x80000000000000007984360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007984354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.300{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007984353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:27.302{3BF36828-E623-60DD-AB01-00000000C801}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897194Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:27.360{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0D2B5E7E966E118FF9B06B1F36A4F56,SHA256=CB5AB2078D0AA191F69EBEF1C961565A9458FB0D5A07ECAC19B948B6F9A550E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007984412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:26.277{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62063-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007984411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:28.737{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCBE9C82CC322430174AB022CB48C04F,SHA256=FFF6FFC7196ED99A38A42E8211653FA8D1617797FC20F5DF4BC5EFDD9E88910B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897196Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:28.407{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ADEF3C7CC08863907DE82CAAC70B35C,SHA256=197D42BDD4E82CABC135925B464C7775B8E9C112737E15059A936040BB5118A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897195Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:28.220{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:29.409{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F59695A513FAF1123B6F3CC946EDD0B3,SHA256=1D9904883F0FE82BF053F7ACBC35DA38ED0CBF772C0D23C54AB998F96503677A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897198Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:29.423{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6352F64CB0109B36DC00DE89ABBBCA13,SHA256=2939478A3ACCDC0519606FECCB8251E1CDD6FA9DD1B097F398298A3F773B6496,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897197Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:26.387{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51817-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007984414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:30.159{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B028768611DDBDDE87E145E270C1D67,SHA256=B862232A68223F1D28657088068EF2CE6C59CCC934C80F3A404D7B9C33734F35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897200Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:30.438{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77610828A22C173521163008C160E721,SHA256=C3CFD02207556286B3BE97CF931B0DBFA78577DCF514EDE3B903060B8B89B748,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897199Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:27.512{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51818-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000007984415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:31.659{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8C4DF7A5284A6DE423E9FADF5408779,SHA256=CDBF9845E2000B699B5E64139C77BC59CFCFCCEFCE4095A5BD6E00DB08B82024,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897201Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:31.454{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67A59079ABEC2B5BEB464558A0123DF6,SHA256=813998AF586B95F80586E50E06AD60F7C10FE8AC7805535DF8052932FB123AB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897202Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:32.501{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FB15E9E54649F699842EFB6587C4D32,SHA256=83825D4CCDCF610E2212B9663949AEA9B8BA2966457FE6ABDBA4616789548765,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:33.034{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAA48AC343DE6CE0851B218BBB9101D2,SHA256=2C8F42D6B7E7D7859C2FF4F6221A1CABE5C5D07B86F13DE1AF4A500250C17DE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897203Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:33.501{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=016FA01673D5D804B1DBF23882112214,SHA256=DBAABCDFF8364E2A6E9EF695F61A8FE8D9AE9CD31E481AB9BC48B4705D2AE5F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:34.440{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A145C16EBD48EAFD925BE572C1FF6AC7,SHA256=F3966DEDFC74449CF04E024406B3E02820406718B926C1BF2F2EC6B320926C44,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007984417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:31.448{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62064-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897205Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:34.532{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC71AF231B6F58DA59DDDA67CEDA22A,SHA256=98D63581FA6BFA0693244F828FBA54941107222F3B26354434AC37610BE3FBBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897204Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:31.481{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51819-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007984419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:35.815{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD6023B84FDCFA409C987900DB81ED93,SHA256=786DB31227652C8FAC6BEDFFCFE867A99AA6D41B10E177835CB15128F373537D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897206Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:35.548{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D4C7BCAA846F7151E923C0D800658B4,SHA256=9457D23434F4A562ECAE9DF9BF2D3B7FE3CD491EB600B604B4C6D5843FB50EF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897207Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:36.594{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D283B64F7701E9E50D1CD45756E51E9F,SHA256=50D81217905A380FC6BD710DEFB6D8F48BC1166C70ED06FE3103EE2E6CA060D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:37.192{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59EB0E3D90B84E45D516DA8002513A60,SHA256=DB33D21C0CB8554A09F7964B240EBF6BE75D54C62383C32E86D568BF3051CF79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897208Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:37.626{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ECBFE3976636530B62A8DD9BA2D7B6B,SHA256=FB7AA09CE88C60EA0BB0FEC02655D1CEA2B55B1D91CA87B6EA03D5C2BE8F3BB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:38.564{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32F9970A802736C71B475F5125337F5A,SHA256=10296CF169A0C796BE076DE41627541D8BB00BF14442D37777A605F5D8B7A7E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007984421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:38.564{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5907C4E26696176617FBD61BFDA1FBFF,SHA256=B8EE6617FAF68B12944C6BDD72862390655AB4DD8345284D003DE77B8702DAEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897209Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:38.641{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98295B5E9F950070808FA2C235DBC8F5,SHA256=BB86956CE30589347B8345FD5F73707ECC2F575E029871F35A696F8907BBF619,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:39.926{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=678EF031B7B955E15E8BE1F3FDA7E84B,SHA256=751A2DC4C9FA879A9DD9355B14EA83E70F3B6F770EFF3B26E75521AD9F70D7DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007984423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:36.450{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62065-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897211Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:39.704{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D725E00387B65AA7E2C3220D422F1F98,SHA256=30197A04CE1EEBBEC0BE485FB04BB5B8EA3B5142C68B50E52580640C4C1D6A15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897210Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:36.559{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51820-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897212Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:40.735{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C477DCDC05E3DDC429276CE43ABBE14,SHA256=DC0775F6C17A6280AAE9000C77C796B12C2971612B400CF0988C4B46DB2C1E46,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:41.301{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=406DDB5F1EF0B0FB2A5CB7BA5207C7D1,SHA256=37C537088E8CE5BE6FB07713A8840A492CEE52F0FA89C624F2F405A2354DCAF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897213Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:41.798{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16366735BA5EA600D08182F18AF71585,SHA256=4F7BA786C92D93578E1CFCAF214B747D684B83B154F022834B558B0E4AD0ED98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:42.676{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC715F9D3A6ACCC9538DB33F7EAD82F2,SHA256=5F636BC4130472A3B253391E2BB07E83FAB27B2C010C826D64032FF25C2FBBCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007984426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:42.301{3BF36828-DD0D-60DD-1200-00000000C801}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C3842F509D1D516624D34CA792D6176B,SHA256=1F08FD76645C34593FB31DF22C1444DE6F01459B79A574B2F38ACDFFDF81C179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897214Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:42.829{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37A5636C96EB92D4DB9E4312942331C0,SHA256=59E9293C99F41BDE058E44593FE4D6AAC81FC3E87C47F205136872051E055273,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015897240Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:43.705{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E633-60DD-ED29-00000000C701}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897239Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:43.705{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897238Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:43.705{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897237Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:43.705{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897236Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:43.705{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897235Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:43.705{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897234Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:43.705{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897233Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:43.705{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897232Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:43.705{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897231Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:43.705{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897230Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:43.705{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E633-60DD-ED29-00000000C701}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897229Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:43.705{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E633-60DD-ED29-00000000C701}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897228Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:43.706{B81B27B7-E633-60DD-ED29-00000000C701}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000015897227Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:43.032{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E633-60DD-EC29-00000000C701}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897226Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:43.032{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897225Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:43.032{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897224Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:43.032{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897223Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:43.032{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897222Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:43.032{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897221Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:43.032{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897220Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:43.032{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897219Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:43.032{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897218Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:43.032{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897217Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:43.032{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E633-60DD-EC29-00000000C701}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897216Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:43.032{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E633-60DD-EC29-00000000C701}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897215Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:43.033{B81B27B7-E633-60DD-EC29-00000000C701}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007984431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:42.340{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62066-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007984430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:44.035{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F4EB69BF94232740A606276F90864DD9,SHA256=309DD8921726C2EC8496138BA3084D9687CEC0670CB5BB64E699D8DDBA2EEC68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007984429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:44.035{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F7778F798369686EF52DB69707E6B0,SHA256=3A2D65EF46F52093E672745BA8A883D9FFEEEE1774441DB8FCEEA21F71A2F816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007984428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:44.035{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CDE141588E7FBF57BA5D81D8C6DE772D,SHA256=0B54F2DCF7F2FCBEC754C422A1DEBD19692741D824B049EDF4988C6F9F7D4697,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015897257Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:44.362{B81B27B7-E634-60DD-EE29-00000000C701}48883508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015897256Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:44.252{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DE73677853EF6463B5459C1D2F22D23,SHA256=25A77601C1DC4100A252815F9B944D67DDA4CA451EDA7CCB4D6831A0B958CF44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897255Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:44.252{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91644ED68490696BF8750EB621E8B470,SHA256=FC394996263BD1429EC812D72DBFBC95E86390C90FD743194BDFB4F248A6BC5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015897254Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:44.205{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E634-60DD-EE29-00000000C701}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897253Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:44.205{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897252Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:44.205{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897251Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:44.205{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897250Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:44.205{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897249Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:44.205{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897248Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:44.205{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897247Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:44.205{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897246Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:44.205{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897245Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:44.205{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897244Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:44.205{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E634-60DD-EE29-00000000C701}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897243Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:44.205{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E634-60DD-EE29-00000000C701}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897242Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:44.207{B81B27B7-E634-60DD-EE29-00000000C701}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897241Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:44.205{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795C0C85495BB1BD3661D9735ECE092F,SHA256=8A155DA257EC18996F89BF6CAE01C435E38908B453591A98EB8F9F80F3F3B92D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:45.410{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D6579659916EAE8269D655649E5ACE,SHA256=9FA4C3743BB32B2A37FDC3011211847C0420823A2828ED59028921D44FCD12D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015897260Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:42.434{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51821-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897259Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:45.408{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DE73677853EF6463B5459C1D2F22D23,SHA256=25A77601C1DC4100A252815F9B944D67DDA4CA451EDA7CCB4D6831A0B958CF44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897258Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:45.252{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC64AAA23437CAFC8BB6596491B3424E,SHA256=68FD97590234E1173E2BF5A1D19106DE876F986E3575F82F56F1404F79192079,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:46.770{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F2C429029B9D24A466F29BFEED84AA,SHA256=7B5B1CBE1F318A8BA15C9282F5FDD73267BEC478E59EEBA19DF3401768A4E135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897261Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:46.317{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D08E00453A1E9E6EFF6E54BE6CBC163,SHA256=823F73DBB19F6206915FA91C0FE0C83C5F19C4D22F94AAE67CA05B6A59E0F4FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:47.460{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A9356D85855C52EB370B7C4639F57AF,SHA256=FA8B9D391786A4F9567328CD1D55CAB6E5ADCB606716C42EC7A0DCA3E1851711,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015897286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:47.630{B81B27B7-E637-60DD-EF29-00000000C701}34484748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:47.489{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E637-60DD-EF29-00000000C701}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:47.489{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:47.489{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:47.489{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:47.489{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:47.489{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897279Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:47.489{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897278Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:47.489{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897277Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:47.489{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897276Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:47.489{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897275Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:47.489{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E637-60DD-EF29-00000000C701}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897274Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:47.489{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E637-60DD-EF29-00000000C701}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897273Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:47.490{B81B27B7-E637-60DD-EF29-00000000C701}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000015897272Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 15:58:47.395{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000015897271Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 15:58:47.395{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0557f10d) 13241300x800000000000000015897270Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 15:58:47.395{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d76e89-0x97ec3c07) 13241300x800000000000000015897269Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 15:58:47.395{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d76e91-0xf9b0a407) 13241300x800000000000000015897268Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 15:58:47.395{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d76e9a-0x5b750c07) 13241300x800000000000000015897267Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 15:58:47.395{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000015897266Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 15:58:47.395{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0557f10d) 13241300x800000000000000015897265Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 15:58:47.395{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d76e89-0x97ec3c07) 13241300x800000000000000015897264Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 15:58:47.395{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d76e91-0xf9b0a407) 13241300x800000000000000015897263Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 15:58:47.395{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d76e9a-0x5b750c07) 23542300x800000000000000015897262Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:47.333{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D30E4F8AB0C31C9C7D74C0F319A8C9C,SHA256=D53E6C4825521F0461468A3E3059751C17F4511C5F8ABDB73B4FA2B721636474,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:48.147{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D856B72E27BE8896061477AEC7B22F,SHA256=963D01A5C04BDB663E568613D09E963B4143DDB153676FE09241ED8A20D4087F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:48.848{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E69708AADB14D423FA1B2E9E361D888,SHA256=9E4723B22B14223042DC5505BE04D97EAAB9A684F783C00C4EF4F3C856FEE4E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:48.848{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFB81EA3922DC0144905B20F00FE540C,SHA256=B5C843C9BB4B5577600A0A86B2AA803C946293A83338AD16D4348E193EF796A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015897313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:48.833{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E638-60DD-F129-00000000C701}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:48.833{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:48.833{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:48.833{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:48.833{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:48.833{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:48.833{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:48.833{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:48.833{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:48.833{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:48.833{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E638-60DD-F129-00000000C701}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:48.833{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E638-60DD-F129-00000000C701}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:48.833{B81B27B7-E638-60DD-F129-00000000C701}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000015897300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:48.302{B81B27B7-E638-60DD-F029-00000000C701}56764732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:48.161{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E638-60DD-F029-00000000C701}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:48.161{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:48.161{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:48.161{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:48.161{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:48.161{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:48.161{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:48.161{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:48.161{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:48.161{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:48.161{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E638-60DD-F029-00000000C701}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:48.161{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E638-60DD-F029-00000000C701}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:48.162{B81B27B7-E638-60DD-F029-00000000C701}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007984437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:47.342{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62067-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007984436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:49.507{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA21525F3298D50CD87C039FB35B8FA5,SHA256=683B7638FADB1E7A12119E1488493E5CABC5BA47FE71F054AEAC1A295C58295A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897332Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:49.989{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=248F4F3CC10E35051855E55708DBE227,SHA256=1DD4FFF694913E4677B22800A3D534F0779ADFBBC60756F4FE71B217C3A547B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897331Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:47.454{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51822-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897330Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:49.848{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C555669D432A1E09BBBAB0416FCB877,SHA256=CF76EB39B1AECA4751A207C1A3DA771EA8FBFC1E527759CAC9D4178423783DC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015897329Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:49.645{B81B27B7-E639-60DD-F229-00000000C701}57205200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897328Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:49.505{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E639-60DD-F229-00000000C701}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897327Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:49.505{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897326Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:49.505{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897325Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:49.505{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:49.505{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:49.505{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:49.505{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:49.505{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:49.505{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:49.505{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:49.505{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E639-60DD-F229-00000000C701}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:49.505{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E639-60DD-F229-00000000C701}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:49.505{B81B27B7-E639-60DD-F229-00000000C701}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007984438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:50.866{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E6BF053B66764C7E67D3662DCA0119D,SHA256=429CEE25DB784D1E4B081445CDA3894E0951B4855C441B9574ADB2FF36DAE923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897333Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:50.992{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DEEA9E8500BCF8CBCF3BA94258CD230,SHA256=9A44016D32EC560357637C7D1F34D00A27D96C7CE08E6B3FD832C9FB212050EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:52.241{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7A7E2032BE222A8DE74FB5F78341473,SHA256=3BCBC06CFB6ED61A678A34AC67B2FA47147F7638780840611EF24B2CE12BEA38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897334Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:52.005{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=233C82B7566DABBE8160063B24331CF9,SHA256=3C35A507D8BCF1DEEA88F88A00A0066FD970C32BE3C43A30627E7ADA27A45761,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897335Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:53.020{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1E24E074964382B0BB354370DF1633B,SHA256=13F7AE369626E55DAAD13AD3C50DB7B1E85274DBE65FD45DA66ED41FB180C41A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:54.273{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F26FA7D5CA6B409A2C67EAD6A5620F2,SHA256=88F2B2EAF1F923233DAD4DEBC23024989B6E7D996B5288C01E76313412DDEE0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897336Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:54.036{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C78F4F8088EF869001840B7838648228,SHA256=9B315D4B1ED17AA746F10F8F2073DAB2C97BF7B4CB4ADF741E89ACB67A621C0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:55.929{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C06C9ED2A521E044509B7A78C4B00147,SHA256=10D235227554B96F6E82EC651518B9A31630DA7F20BB6A2FD630F542A5F453FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007984441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:53.280{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62068-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897339Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:55.270{B81B27B7-880A-60DC-1000-00000000C701}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=EC7774F9826DAEEAAA76F7D69A18E976,SHA256=E29B268BB1F406C03A807ED4C8154CBFD995A99CA85E4906EF41B7208417EB57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897338Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:52.532{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51823-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897337Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:55.098{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C04EA031E42BB7D8D761F7E1A21B8B3C,SHA256=07C26754D7DEAF56BD9AA9BB6C1407E4BA67C8D27C49183A81A9869058352F73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:56.114{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9566DC31D478D005936E16F025A5C7F,SHA256=0DDF13F0C2A491F7994CD9DEF4FE17871536A6ECF345693E346BE53C2DE76090,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:57.366{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F36C34343DEF16ABB2F7E21A16159B8,SHA256=1F3FDC9419082180005CFA4C9FADD0F8417AAA9D8B4DA069F2B47E7BC4AADBFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:57.130{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43D53A7D6EEE75BA69CC66EBCEB66936,SHA256=06F6F955D354226AF803277FEFB83C44CF343CBCD3B8FB9C5A0B244F09597E91,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:58.726{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DC168FFB64D61800A7E3C54B24944D0,SHA256=934DD1A20528A7FFB9F11989D1A992DE2C426667308E436A43ACC77F1CE24E36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007984444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:58.726{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFAB1D2338A10BB3D1E6F2A6317A2ADF,SHA256=06989D15A8AB13A825763B84027B185F4A7764B3B50B257CC839C2B76374D958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:58.161{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37338C60E413B170470E97C303DD7466,SHA256=68D960BFB8EFF63B463EA7EAFAA490CE3C6D4B40F2368FDC9F23CACCBC73C7E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:59.161{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53FF8065C9058D02E3F8D929BBCE4685,SHA256=346CA6D00C874F34FB0708F4BEEABE3DF3CFB58520747352C2D2C923C2471C24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007984447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:58:58.280{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62069-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007984446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:00.085{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96216412A942821DB55ACCA33DC75AE,SHA256=B31B155E825C610F075098F340221147F155D7E9219D1ED7ACDF1130B1F6479F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015897345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:58:58.360{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51824-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:00.192{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9B2FB31E19787C2F38C8757A1E9405A,SHA256=A08D965EE308508E01DE66E48096D5930183CD07DF74A68CD8198FB1547BBECA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:01.460{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23225CAA52AD95B9452C054DEE1F226E,SHA256=DDD1E773952F66FEBAC42F8AF4FC8225A14FFA1E9423D47AD8238777CE603505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:01.192{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E2372C91A7834C76D49C3AD68C37738,SHA256=B1AE9443828964CE8E52AD8904D99E8BAF0647CBC9E88254EFBDA4F038E906D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:02.819{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31AA7F04EAF7BDC6E6D34A0445C1971D,SHA256=93C9F574919F5644F109E4867A84D5D1A7697D41448E0969C11495BC008C1052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:02.208{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE5D433C1B091116C7A682C122EA9CA,SHA256=688E04F26B7186377473CC9468864CBE69BBC3D74E0C58069D7A8B83D5B084B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:03.239{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CCBD939712067B6F227C20E2E56042D,SHA256=22B42EA3801C0202CF3A7415C7DA09795904A6A33069E22F3A327F66244B33F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:04.195{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40023969DF85FFD07587913014341BEE,SHA256=1D907660375F27B8BCE4337ABAA6B1C8B9A23BFD7F5CFD7ECD137155C800EB87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:04.302{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919E3AF09E7DB7B57900EA74DA8203E3,SHA256=5FDF993BDC17E5A1DB67AC0AC0EE1DE4CF3B9BD4E64D24F93FEAFA6B5791E77B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:05.554{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E53E285ADA13ADCA1AD625FA32EC4FD1,SHA256=65441310852CAB8337285A2B826AD7506388826F61D12364E02B040E46A91E90,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015897351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:03.438{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51825-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:05.364{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=693B6B2ECDED07A4DEDACCCA14A2A893,SHA256=4A271F14D7476CDD261C14BE67E2E102D3D73761D9A19B9AE1F8623CC9503B4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:06.918{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9DD218E60B6008E10C4345D94DB28A6,SHA256=2E04DAFDC1CB163741C397A4D5EC4528F0E05EDA91A0744CB82995450DE99E27,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007984452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:03.404{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62070-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:06.380{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4908E008BE86EDF98989908975EDF52,SHA256=CC182CA0E0C8AA7213FA4CADD9A53599693422D559327117DA2346E087E1A961,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:07.590{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4167B90CB0B290FFDDB45C041DC9ECBE,SHA256=6E212908FDDD760CAB4F222FCD995365AA5C48BDBF077ACB5601A725901704B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:07.416{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=019FF22C9C8E39F0DF1DDAC19811B367,SHA256=D3FD6E286D6A5F71051510345A7A5C290FD3A2B47FA0A2C43EDF8DE362B5BCE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:08.278{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC80A627B165EA4B27F97F1810CDB6B,SHA256=7348B31C53C3BCF16F3E5FE48F70D987A8E2064E0117FB4D42C66DA2B88D9A83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:08.431{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4323B3014E21E11C3E766F155671ACD,SHA256=86C60FD40F8C779383497216B4AEF8BDC7AD9C0EFC4A42D29E7BD67050F727B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:09.653{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EA0D43196205E864415957288BC3805,SHA256=F7952C50CE5CE7DAC0505D046CB6EE851D38A4F101FC7D054FBBF34E9763ACE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:09.494{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40697A12DB82F95437D095DFC0D2355F,SHA256=33210DB3E4E377CB7FA31E038019C0EA9BAF2EF648074FAA55EAF10DB0439209,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:10.510{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB63E43437F6F7EF8177EA15EBB4AE38,SHA256=65877ED0CCD0DFDF1A6B33487C8D55167C0AE6A1556FA1B604CE848AD4C3053B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:08.490{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51826-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007984457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:11.012{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6373DD21CFC7549AD0F2703A6844CF02,SHA256=944EED1F852B700E9AB3E177892F538B4FE9F93272B3A2BA04C0EEA05D0FD366,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:11.510{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB9CDDF35128B2F8FB7BCF42652D862,SHA256=D6EDAFC8597C967E11CE7D65C7A41A7DCC7D23309B2C4D8257A7A377922A6660,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:12.372{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7F4829D89B290BA3682FD59A0BB7651,SHA256=35F6E18E2F0E7F2EE447A5169C97C55B63003082FE456DE28E5803A52F1D2E6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007984458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:09.425{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62071-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:12.588{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5723204B28700D2F7CC9AA59B859F2,SHA256=BBA4F7C26596FB158018636BB6712B52BD6E20B4F3EA4AF9614B16E9CC104972,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:13.747{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3D4DC78642DB712044C7747E006C80C,SHA256=C65C78ADFA71A57381FEBD79C55FC9395DB75FDC9F95FBB7FB37CAA5673B6437,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007984461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:10.691{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62072-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007984460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:10.691{3BF36828-DD1D-60DD-2F00-00000000C801}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62072-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x800000000000000015897360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:13.603{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9169437FC5CD8BEA9F678F205D808768,SHA256=F6DB49403470E122BD549BFE3F6AF2B4C45E9C862A58F84E3926A5FED41A106C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:14.419{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0754DAFF3D48DAE298524D74D03C923,SHA256=B5FCB1C20F8DD5DEBB95FB3B5E4ACCC0A401A4F6BD526F5B6CC7F36E877A835A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:14.603{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=740A77F32AA24C0B411655E0889616DF,SHA256=8E5F7260D770FF885BB1024432220AA6F43A07EC229C850E4C75DE2C415650F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007984576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.903{3BF36828-E653-60DD-AD01-00000000C801}3780680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.903{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007984574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.903{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007984573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.809{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007984572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.809{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007984571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.809{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007984570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.809{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007984569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.809{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007984568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.809{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007984567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.809{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007984566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.809{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007984565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.809{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007984564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007984563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007984562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007984561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007984560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007984559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007984558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007984557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007984556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007984555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007984554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007984553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007984552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 23542300x80000000000000007984551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3CE42F4BC483BE3011145A763A019C7,SHA256=0F68214725F08A6275AE8B70FC772F3140C5C4CF853E29499BD1E31F5829E90A,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007984550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007984549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007984548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007984547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007984546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007984545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007984544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007984543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007984542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007984541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007984540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007984539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007984538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007984537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007984536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007984534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007984533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007984531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x80000000000000007984528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007984521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.794{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007984520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.795{3BF36828-E653-60DD-AD01-00000000C801}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007984519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.215{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007984518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.215{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007984517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.215{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007984516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.122{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007984515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.122{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007984514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.122{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007984513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.122{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007984512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.122{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007984511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.122{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007984510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.122{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007984509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.122{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007984508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007984507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007984506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007984505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007984504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007984503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007984502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007984501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007984500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007984499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007984498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007984497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007984496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007984495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007984494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007984493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007984492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007984491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007984490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007984489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007984488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007984487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007984486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007984485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007984484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007984483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000007984482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007984481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007984480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007984478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007984477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007984474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x80000000000000007984470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007984465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.106{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007984464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:15.109{3BF36828-E653-60DD-AC01-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:15.666{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3975012735934DCB09BAD7F9999F56,SHA256=DB84016EFABAC14CE1F944C540927CC51C30BC4E19C805DFCECA6E805A38CFAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:16.466{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2983956B6C1179D844E62F3F1DCA3DBA,SHA256=D508A61216CB728F5D39238C25B940DFD4264866BB5646265D60C4BC04076178,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015897364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:14.380{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51827-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:16.681{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=458011AE8F8FFB17FF9C2677B083DD4D,SHA256=A0D4B8F311A166D82568C9C300F8642693BCA468B8D38AB86A1DE82B10ABE95A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007984579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:14.472{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62073-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007984578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:17.169{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978E85B51284FB9776DABDA7DD741593,SHA256=DA92FCA714931E1B217AFC245684FE2FADA6CC3B3DA9AC9756BEA5A98702F581,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:17.713{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27BBFACFC75DE93866AE70F66D40AD8F,SHA256=9A09C7E7A0EC70FC507B97D9CDC5F4F8FAF3E22738CA5DAC51A5A97225AA2A9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:18.591{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58CBD866A1F77112D9CA83B687E16B11,SHA256=FF75891317289E819F55004A79DDBC702B4609B50226E87DEE0856275B9336B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:18.744{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ACF1395762EA461909589B0C0418376,SHA256=49D87A7CF2AFD34C75629AAB18F2B14253C6B4709DD8D417FEA408B22C7D4E58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:19.760{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A165D1380FA4D0A73F2D24C70A7CADF,SHA256=C86573C3B7EFF42BCFA51DF466E895CAB42B2FFE4E2F2FECEA28E04B42DFA9A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007984642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.809{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007984641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.809{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007984640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.809{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x80000000000000007984639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.747{3BF36828-DD1D-60DD-3000-00000000C801}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007984638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.716{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007984637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.716{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007984636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.716{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007984635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.716{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007984634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.716{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007984633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.716{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007984632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.716{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007984631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.716{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007984630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007984629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007984628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007984627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007984626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007984625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007984624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007984623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007984622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007984621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007984620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007984619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007984618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007984617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007984616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007984615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007984614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007984613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007984612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007984611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007984610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007984609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007984608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007984607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007984606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007984605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007984604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007984603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007984602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007984601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007984600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007984599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x80000000000000007984598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007984596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007984595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007984594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x80000000000000007984590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007984583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.700{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007984582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.702{3BF36828-E658-60DD-AE01-00000000C801}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007984581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.028{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A338D638A23F6FECA2DC286366E83261,SHA256=E1426A20CC0CAB06E72E5C66BC37DE5E8DB344199E39A4264C0246B99B56BDA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:20.760{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EBFC90162C6928DFB0C3FBA19FB984D,SHA256=0C21637E0EADAD9FA1C2B07BF2640AC6F87E7F4E4DDA897FEFEB2E0E3559CF69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:21.387{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2913920922E9E489E20BC7A1FAE364A,SHA256=CABA99F487D81A4C1333325C708E6E199FF2A11B45D204104A918C16BF8B06DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015897370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:19.458{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51828-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:21.775{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=690AB4CFB329A6D55C56FB63F942B7A9,SHA256=DAE3B2950786D093D79F75E091233B4D123555B4842F0CBCED8E9EB29BA5CC94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007984703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.887{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007984702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.887{3BF36828-E65A-60DD-AF01-00000000C801}728624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.872{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007984700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.872{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007984699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.778{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007984698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.778{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007984697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.778{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007984696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.778{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007984695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.778{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007984694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.778{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007984693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.778{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007984692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.778{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007984691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007984690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007984689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007984688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007984687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007984686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007984685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007984684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007984683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007984682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007984681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007984680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007984679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007984678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007984677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007984676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007984675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007984674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007984673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007984672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007984671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007984670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007984669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007984668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007984667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007984666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007984665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007984664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007984662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007984661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007984660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007984657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007984649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007984648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.765{3BF36828-E65A-60DD-AF01-00000000C801}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007984647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.762{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F151492CC3B0F7BCFCD88471A38C8C3C,SHA256=A4B8B83F3C75F1F962E8F3DEBC5611D788EF0CDB362FBCF64E8492BFF894F159,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007984646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:20.347{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62075-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007984645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:19.956{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62074-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000007984644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:22.075{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=190C8C66E491068996E83B3665D550F5,SHA256=AE272FBD3877D6ECBEFF185E2D9C3FB530F476BD1C3A1A1BAFE5C963B276362F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:22.806{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92A7ADE99C0F6EC7761B8934E1AA0FC4,SHA256=F7C50874D9D93CFA9689C2F7C2E5BB0C38832B0A212C3E21B8840014C3D40100,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007984759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.559{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007984758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.559{3BF36828-E65B-60DD-B001-00000000C801}8964836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.559{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007984756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.559{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007984755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.450{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007984754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.450{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007984753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.450{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007984752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.450{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007984751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.450{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007984750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.450{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007984749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.450{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007984748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.450{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007984747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007984746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007984745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007984744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007984743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007984742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007984741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007984740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007984739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007984738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007984737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007984736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007984735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007984734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007984733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007984732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007984731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007984730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007984729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007984728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007984727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007984726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007984725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007984724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007984723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007984722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007984721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007984720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007984718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007984717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007984714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007984711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007984705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.434{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007984704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:23.437{3BF36828-E65B-60DD-B001-00000000C801}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:23.853{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F7D1F95088193AA106DFC76B78F83F2,SHA256=D0A36C8E540F1FD4ADF29B9FEE704E285081CFF3C606EF9729DADA28BF923894,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897373Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:24.853{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F489D64F58B900E63F9D4848248B05F4,SHA256=6A797D74CF387B7A5AF9BFCC17D23E79ACBA780A4FB1E16BBBDB0B28D732E964,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007984816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.575{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007984815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.575{3BF36828-E65D-60DD-B101-00000000C801}1188968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.559{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007984813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.559{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007984812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.466{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007984811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.466{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007984810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.466{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007984809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.466{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007984808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.466{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007984807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007984806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007984805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007984804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007984803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007984802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007984801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007984800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007984799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007984798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007984797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007984796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007984795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007984794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007984793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007984792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007984791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007984790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007984789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007984788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007984787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007984786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007984785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007984784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007984783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007984782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007984781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007984780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007984779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007984778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007984777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007984776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007984774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007984773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007984770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x80000000000000007984768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007984761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.450{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007984760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:25.451{3BF36828-E65D-60DD-B101-00000000C801}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897374Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:25.869{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1B34627B8522943D9CB04DA3EBEDC5B,SHA256=0F1774D797DA5AF61139CA3A4A4FF176D871B04500E1B5D076AA2AD6DCA426E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007984873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.591{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007984872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.591{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007984871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.591{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007984870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.481{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007984869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.481{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007984868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.481{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007984867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.481{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007984866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.481{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007984865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.481{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007984864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.481{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007984863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007984862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007984861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007984860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007984859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007984858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007984857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000007984856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007984855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007984854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007984853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007984852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007984851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007984850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007984849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007984848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007984847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007984846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007984845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 23542300x80000000000000007984844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8713836450FA6D84399707BF7D54A59,SHA256=8B2A16D7755882B6B6A9C52AD9A7C0000EA5D68EC1E893F097630B5114EAB556,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007984843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007984842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007984841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007984840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007984839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007984838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007984837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007984836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007984835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007984834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007984833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007984831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007984830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007984827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x80000000000000007984824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007984818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.466{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007984817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.467{3BF36828-E65E-60DD-B201-00000000C801}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897375Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:26.917{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29A497D412C9BCF3BDC92CEE2C629C52,SHA256=29CB9753527200DA792C523E2713ACFA354DB29BEA87074BF040A82F78E123A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:27.811{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E784D168819C92BDCB37A59D832F7DD9,SHA256=B120C6B9293F24120FC3BFDFCBD818F0D7444F69BD53147067419D1C4749CCF7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000007984874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 15:59:27.155{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d76e92-0x11ad0ab8) 23542300x800000000000000015897377Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:27.933{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1138784876FF36A6CB008E8B20F20641,SHA256=99C1251ECE78CAFC3652706D28614B30B7A0EDB11DC70FA0F6FF0A033CF5CF93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897376Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:25.489{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51829-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007984877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:26.364{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62076-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007984876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:28.545{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC7A8A53F2BE0B955413D9E5C20E15AF,SHA256=201C879EEF912FF0E623B020868C8BA18BBFFB0191B958494AA7703D1747022B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897379Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:28.949{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F55B8BC420C125FB372FCF23DA4ABF6E,SHA256=A041767BA310F33D6155D61EA41CDFA22A0258EA99994584DC58AF2E1F9C4FAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897378Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:28.246{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:29.295{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE1D24F5023C1BFE2609164F8D486C71,SHA256=EC6471A62553C6D987FD70596102B3B3F22F1D9E120A58DB82CAC8850860BDEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007984878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:29.295{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B90A3AFF7D143EE452A7A457DC81CF46,SHA256=88D825AB3736A0101A9440FAA5E581FF1BDE404038F5DEB5DF713F3965AAAE2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897380Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:29.949{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B100EDBD1BA2924637FA3872EF03C79C,SHA256=71A1CC154F2C85A9D030907AB85A3C00A0C781CB42524E83034D8FC5B9B1C062,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:30.077{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1070750AFF419B8A3CF267316D87FECF,SHA256=EB255ABF1747CAB1A7215B78E7A1602D4B05D8D417974FE88638CFE64E9FBA02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:30.964{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=942B668DDBE7DEE3D4C4D6B535A43305,SHA256=AC32A5D7D8BBADAC129815920499E9F11D49C83CFC717F4F24D3762F9F19ABAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897381Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:27.538{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51830-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000007984881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:31.577{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A29DECC7697DB7AA0E7914BFB9A74839,SHA256=5DA6DF57F462FDD5B959607FB11223BFAC4309A9E6A399E0F610CEDC061061DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:31.980{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=727BED5FCD3049A6BF48DD2F806BBF8F,SHA256=0FED22C310E86B74BBD4B9552FBCDA2A8BB3A5A4639E8566F9B41C4144684DDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:32.967{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAD9885BEC0218C0F0DDD8432ED7168F,SHA256=2385FF703AE561B5753E9504FDAB0430AF452A8AA12A48C61BB0B64A04D57600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:32.996{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44D965B1C7B4AE42CB9C96D5B46CEB25,SHA256=617903DC9D6E703A8F688108A50C03023904900B90CD4E332E9F8DDEADF5341D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:33.996{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=609C316F27A750F9B25E301F5E5788AA,SHA256=87259D54EDFB21D769551D719099F7F163B0D91E370313C4BBF9B482F35ACC14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:30.553{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51831-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007984884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:34.342{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC2146B988621076EA4D608C4C93D4E2,SHA256=8ACE4F4D36550FEAA91B3A6E075242A4BDBD8DAE1E86E6FADBC6C3C9540C1DC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007984883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:31.489{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62077-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007984885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:35.702{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD64F263ECA26ED0C840473452F753DB,SHA256=83BE27F0195F137BB051333EB199FBD291A31C325B2B0F02C5103CBEB72AE4AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:35.011{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5B3C4D195E530EFB950246672C2A100,SHA256=1DCC1C7023037E351A1D42F29039AF4FF8E67D3E0D27CC4A0449DA5E6F000659,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:36.027{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7387087A85815FE77086303A76903F2,SHA256=7F3D7095BAA17F838D2F8F8B7EE818A7DE9C2415BEB40D244D26A68EC7E96D13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:37.077{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8259ED3559D9F2D7F73228419F5EFD74,SHA256=99A4539915D50B25BCBB93D4245ED900643C28FCA34D7E97CAC73DB5F478C302,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015897417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:37.089{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:37.089{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897415Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:37.089{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897414Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:37.089{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897413Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:37.089{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897412Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:37.089{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897411Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:37.089{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897410Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:37.089{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897409Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:37.089{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897408Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:37.089{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897407Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:37.089{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897406Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:37.089{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897405Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:37.089{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897404Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:37.089{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897403Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:37.089{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897402Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:37.089{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897401Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:37.089{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897400Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:37.089{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897399Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:37.089{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897398Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:37.089{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897397Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:37.089{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897396Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:37.089{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897395Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:37.089{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:37.089{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:37.089{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:37.089{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:37.089{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:37.089{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015897389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:37.042{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF2A0B46928FEB6868BDE1A78805D616,SHA256=13D24FCEA6AE25BE17C2EBE95190CEB7D491EB4F2D76A6029F9B54DA569707C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:38.437{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=151DBBA49D8FAAE319C720714E833965,SHA256=F5652BBEB187D11122AD15C5DB57856DD58234655B30DAD8A16D2C60D0C1329D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:38.417{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606A271BD747211DF65B0B3101732E14,SHA256=7A9429881628159AD430B2268F34C3ED32FBA5CACC9F67B15B3135C4BD6F8EB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:35.553{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51832-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007984890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:39.812{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD82C92D39D27B31631EED88E00303B9,SHA256=FBAD67123D0BC0CDF484D1B78C4B1CA0E0D7833773E8B4D87FA14B51946B8285,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007984889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:37.240{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62078-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007984888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:39.123{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=922E6D4608F6CBF2338D19A70B1B7431,SHA256=4B0113B6BE7E62C858E7FFC652FC811019A5E538CDD5B7D0B06B21E85A920786,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:39.058{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E643469C9BC60322024360F961690D8,SHA256=5E56C2D6BD9131B1145C53B7293411475668FE555046D5F241BBBC904F2E789F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007984891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:40.656{3BF36828-DD0B-60DD-0B00-00000000C801}6522840C:\Windows\system32\lsass.exe{3BF36828-DCF0-60DD-0100-00000000C801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000015897421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:40.074{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BD9535B00A5F695CC7991B6756E4881,SHA256=2CB5A93B13185074E8ABCA61B679FBBF35A623255CFA3128492C426FCFFDEF59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:41.187{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F45D7DFC7638DAE478120E2373CAF2,SHA256=3A55D19CE63A958AC1A93B71B7E9AF881E7E16A051E94FE955E43D2881E49747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:41.089{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40EF8F1DC4611524F69BFB282FCD9C8B,SHA256=382463279D3AA586FE2FDA87AC632E581AFAB6DA105880541DD7A1FCC7036909,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007984898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:39.881{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62079-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x80000000000000007984897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:39.881{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62079-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 23542300x80000000000000007984896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:42.547{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D3F93204C3B42DB653A92AF081B9BC,SHA256=9F167B9439CEBCAD1CEFEED8D702A9D2D64A9F32CC924F613283186A7934C746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007984895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:42.312{3BF36828-DD0D-60DD-1200-00000000C801}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=075C2ADF14A31D706D2F5E3F4D29FB35,SHA256=62304C5D22D520C16DA6441D19B27FD4DCB9F4188B900F78943A8E37D911CE85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007984894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:42.172{3BF36828-DD0D-60DD-0F00-00000000C801}3441956C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:42.172{3BF36828-DD0D-60DD-0F00-00000000C801}3441956C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015897423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:42.105{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A3350EE414A120DCFC2376C906ACF7,SHA256=A1145ADDDDFFBCE16E12676D903391D8CBEAAA7BDFE2A5FFE223AE3DC202805B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.922{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5749408BDAB62DF8CA05857697DE873,SHA256=FD4502D655471E42AE17CAE6A899F2AD306A789CE9BFDA92C5E9FF21FCC16E98,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007984934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.890{3BF36828-E66F-60DD-B301-00000000C801}2932C:\Windows\System32\rundll32.exeC:\Windows\System32\acproxy.dll10.0.14393.0 (rs1_release.160715-1616)Autochk Proxy DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationacproxy.DLLMD5=CC91CC38EF34BFC9C69105378EBCAD81,SHA256=F04EF0A764076D2ACC4778D9287031231ECF42F43CDBD9AD309401344D249423,IMPHASH=513B8CE1F214D0558EAF3816A1997B1EtrueMicrosoft WindowsValid 734700x80000000000000007984933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.890{3BF36828-E66F-60DD-B301-00000000C801}2932C:\Windows\System32\rundll32.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007984932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.890{3BF36828-E66F-60DD-B301-00000000C801}2932C:\Windows\System32\rundll32.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007984931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.890{3BF36828-E66F-60DD-B301-00000000C801}2932C:\Windows\System32\rundll32.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007984930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.890{3BF36828-E66F-60DD-B301-00000000C801}2932C:\Windows\System32\rundll32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007984929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.890{3BF36828-E66F-60DD-B301-00000000C801}2932C:\Windows\System32\rundll32.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x80000000000000007984928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.890{3BF36828-E66F-60DD-B301-00000000C801}2932C:\Windows\System32\rundll32.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x80000000000000007984927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.890{3BF36828-E66F-60DD-B301-00000000C801}2932C:\Windows\System32\rundll32.exeC:\Windows\System32\ifsutil.dll10.0.14393.4350 (rs1_release.210407-2154)IFS Utility DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationIFSUtil.DLLMD5=DCB1DE4A8671328D42D061B6ED6C2A93,SHA256=67D091CFAD45414B539304C00331B82A74BC8DAC78BC4E402E9FBEAC8ECAA9C3,IMPHASH=0E557C55A7A21DBCC8E07D9966BC3E99trueMicrosoft WindowsValid 734700x80000000000000007984926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.890{3BF36828-E66F-60DD-B301-00000000C801}2932C:\Windows\System32\rundll32.exeC:\Windows\System32\ulib.dll10.0.14393.4350 (rs1_release.210407-2154)File Utilities Support DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationulib.dllMD5=46C8B58EB729C4ECC5AEE9943C44C3C3,SHA256=236D3E938A74C5767C5644940C1E6811FF27EF0A945DBC4CC73CF3E65230E85F,IMPHASH=EB819079EF9EA0EFF84B236088DCA17CtrueMicrosoft WindowsValid 734700x80000000000000007984925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.890{3BF36828-E66F-60DD-B301-00000000C801}2932C:\Windows\System32\rundll32.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007984924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.890{3BF36828-E66F-60DD-B301-00000000C801}2932C:\Windows\System32\rundll32.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007984923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.844{3BF36828-E66F-60DD-B301-00000000C801}2932C:\Windows\System32\rundll32.exeC:\Windows\System32\imagehlp.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT Image HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationIMAGEHLP.DLLMD5=E1C665DC0FD5A7423B0C0F5325A1027F,SHA256=8B84BE9335EF640ABAA8E8BBA45C6BC77F2251359D4BCC157235CB4BC107AE69,IMPHASH=C88C4D131D277C03F0879B4E0D5679DBtrueMicrosoft WindowsValid 734700x80000000000000007984922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.844{3BF36828-E66F-60DD-B301-00000000C801}2932C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6CtrueMicrosoft WindowsValid 10341000x80000000000000007984921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.844{3BF36828-DD0D-60DD-1400-00000000C801}104892C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.844{3BF36828-E66F-60DD-B301-00000000C801}2932C:\Windows\System32\rundll32.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x80000000000000007984919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.844{3BF36828-E66F-60DD-B301-00000000C801}2932C:\Windows\System32\rundll32.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007984918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.844{3BF36828-E66F-60DD-B301-00000000C801}2932C:\Windows\System32\rundll32.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007984917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.844{3BF36828-E66F-60DD-B301-00000000C801}2932C:\Windows\System32\rundll32.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007984916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.844{3BF36828-E66F-60DD-B301-00000000C801}2932C:\Windows\System32\rundll32.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007984915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.844{3BF36828-E66F-60DD-B301-00000000C801}2932C:\Windows\System32\rundll32.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007984914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.844{3BF36828-E66F-60DD-B301-00000000C801}2932C:\Windows\System32\rundll32.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007984913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.844{3BF36828-E66F-60DD-B301-00000000C801}2932C:\Windows\System32\rundll32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007984912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.844{3BF36828-E66F-60DD-B301-00000000C801}2932C:\Windows\System32\rundll32.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007984911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.844{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.844{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.844{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.844{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.844{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.844{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.844{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.844{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.844{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.844{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E66F-60DD-B301-00000000C801}2932C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007984901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.844{3BF36828-DD0D-60DD-0F00-00000000C801}3442024C:\Windows\system32\svchost.exe{3BF36828-E66F-60DD-B301-00000000C801}2932C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e0a4|c:\windows\system32\UBPM.dll+11662|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.844{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.844{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:43.746{B81B27B7-E66F-60DD-F429-00000000C701}52245680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:43.605{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E66F-60DD-F429-00000000C701}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:43.605{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:43.605{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:43.605{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:43.605{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:43.605{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:43.605{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:43.605{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:43.605{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:43.605{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:43.605{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E66F-60DD-F429-00000000C701}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:43.605{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E66F-60DD-F429-00000000C701}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:43.607{B81B27B7-E66F-60DD-F429-00000000C701}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000015897438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:40.569{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51833-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:43.105{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9005F7CF206F9BF43474B6EEBAFE921B,SHA256=350462B92C6DB93BE47F8E156A1A7DBA14475388E6B236E83C9B910E5B8E9F01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015897436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:43.042{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E66F-60DD-F329-00000000C701}2244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:43.042{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:43.042{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:43.042{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:43.042{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:43.042{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:43.042{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:43.042{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:43.042{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:43.042{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:43.042{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E66F-60DD-F329-00000000C701}2244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:43.042{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E66F-60DD-F329-00000000C701}2244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:43.043{B81B27B7-E66F-60DD-F329-00000000C701}2244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000015897468Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:44.230{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E670-60DD-F529-00000000C701}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:44.230{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:44.230{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:44.230{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:44.230{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:44.230{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:44.230{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:44.230{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:44.230{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:44.230{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:44.230{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E670-60DD-F529-00000000C701}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:44.230{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E670-60DD-F529-00000000C701}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:44.232{B81B27B7-E670-60DD-F529-00000000C701}1476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:44.121{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B1B23B9C6FBBF13CA2DBCFDAAA6A89,SHA256=E6EA739241C8FF5622AC70DEF68125598B5B8EDE25F0D18A32C7004CC63AB004,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:44.089{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2F2CD36E85881C5770EE330BC773258,SHA256=FC1149D5FAE72FE2909AEADB7C6AE3D462B717E1233FFF011D8EBD56C46CADA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:44.089{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99E7742A484E9117177D038F3B0648EB,SHA256=ADE53391A9AB2FBCBF4881354109827C7F2022F4478CACEAA1DDAD76B401F3CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007984937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:43.271{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62080-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007984936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:45.297{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD7F1AECDC33585FDF4E927DE5196B6A,SHA256=E8A90362216960DA454811CE603F14456058DEAF44EBE90368EAE1401058953E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897470Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:45.387{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2F2CD36E85881C5770EE330BC773258,SHA256=FC1149D5FAE72FE2909AEADB7C6AE3D462B717E1233FFF011D8EBD56C46CADA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897469Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:45.122{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A43C043B93536241189DECEC5C51B4A0,SHA256=872BC31278233BF2B9D5557015B4CA9B1A1832163333ACDAFC3FC0148463A24E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:46.656{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F751E29E3C2950F244FFB157FF1BC7F4,SHA256=8516B643BF9BDDBE52407D10110646AF1204591C68FC3223D15FBA7EE9CD6FD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897471Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:46.125{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C5161696FF0B1E60B58988C74F3371C,SHA256=9203DA77E2C5FAAAEB2E7D69E935009E3333BE30E92A083F574BCE4B2D9E0C53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015897486Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:47.623{B81B27B7-E673-60DD-F629-00000000C701}58762784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897485Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:47.482{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E673-60DD-F629-00000000C701}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897484Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:47.482{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:47.482{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:47.482{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:47.482{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:47.482{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:47.482{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897478Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:47.482{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897477Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:47.482{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897476Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:47.482{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897475Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:47.482{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E673-60DD-F629-00000000C701}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897474Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:47.482{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E673-60DD-F629-00000000C701}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897473Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:47.483{B81B27B7-E673-60DD-F629-00000000C701}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897472Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:47.138{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D5F929DE6DD5845BDD87A4B9521115,SHA256=2FD3108EEDC63ADCFF215FFF0FC15FC292FB7B30DCB005F677959C700BC34F62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:48.064{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7887DE9D0EC7020445592C74CD63A407,SHA256=A2C57694764FA7ECBAC6EAB2FA68302774143FAE8636888F5F1BD9EEA6E20DE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007984939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:48.064{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9F4F8494CC724FD193B2669ED8B11EB,SHA256=ADC6CC26178ED71959E8E09CC03895DA9A31D40F229B6360F1517F6FA08DFE0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015897516Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:48.982{B81B27B7-E674-60DD-F829-00000000C701}60842384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897515Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:48.826{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E674-60DD-F829-00000000C701}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897514Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:48.826{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897513Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:48.826{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897512Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:48.826{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897511Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:48.826{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897510Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:48.826{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897509Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:48.826{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897508Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:48.826{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897507Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:48.826{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897506Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:48.826{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897505Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:48.826{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E674-60DD-F829-00000000C701}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897504Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:48.826{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E674-60DD-F829-00000000C701}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897503Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:48.827{B81B27B7-E674-60DD-F829-00000000C701}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897502Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:48.701{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7CFC37D5319C485A81648AF87B1AAB4,SHA256=857E141F5E061DA1EEE5F21C2B63FF1BF3491061E85EB72804E2BAB999F9D395,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015897501Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:48.310{B81B27B7-E674-60DD-F729-00000000C701}7885972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897500Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:48.154{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E674-60DD-F729-00000000C701}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897499Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:48.154{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897498Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:48.154{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897497Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:48.154{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897496Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:48.154{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897495Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:48.154{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897494Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:48.154{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897493Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:48.154{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897492Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:48.154{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897491Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:48.154{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897490Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:48.154{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E674-60DD-F729-00000000C701}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897489Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:48.154{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E674-60DD-F729-00000000C701}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897488Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:48.155{B81B27B7-E674-60DD-F729-00000000C701}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897487Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:48.138{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BBA6D9AAFD501FEA1FF9807E469334D,SHA256=275AC8D98CDC1F08FDEB412D675E737570E219A4493F8FBDB7F5C4E48566B6AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:49.423{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0836BFAB7CA5A65BEEC8D1DA2CEF9DD5,SHA256=95A8D434520F37D885C29444B8753091E11D35CF8D1C7836FD6E330DD4118A09,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015897531Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:46.571{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51834-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000015897530Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:49.498{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E675-60DD-F929-00000000C701}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897529Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:49.498{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897528Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:49.498{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897527Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:49.498{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897526Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:49.498{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897525Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:49.498{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897524Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:49.498{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897523Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:49.498{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897522Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:49.498{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897521Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:49.498{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897520Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:49.498{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E675-60DD-F929-00000000C701}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897519Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:49.498{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E675-60DD-F929-00000000C701}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897518Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:49.498{B81B27B7-E675-60DD-F929-00000000C701}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897517Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:49.279{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F90A17B457C37F9CDCDDD6BB13FC04F1,SHA256=23EFAC395359CEBE54FD3ADE8EF0D2B2793354EAFFA69D804136BF296D8FB7CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:50.798{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65DC48ED8920898297874061C4ECA435,SHA256=859B540D5B2BEADB6737927FC9F1DE76DA070B8B2C9F092B98BE67CB8656B1EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897533Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:50.295{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF654FDFD40B729E3905EC328E13F6E6,SHA256=CF6C284EC92117DFAB854544A4659947B9CC0F0B2D72E091338F3DE7CCF0BFFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897532Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:50.045{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67AB6AB388DA203DCE4464128CD34180,SHA256=A9329FE08C13E969A43471202A3D772044F37A4F79AB7F9B8BFA4AFD522EFFE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897534Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:51.326{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CC5A4AB453C622C1AE4BA3769D16474,SHA256=D85680527234AC569FD46931791A70E97007B45C719120B45B83C0ED0EAC085B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:52.157{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50E4ABC74C64D1166C182B88A2EBDDC9,SHA256=FE03D8A960F84076B5BD903E6EB792324B99D26A11C1B950A8E5A2E1DD3F232C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007984943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:49.288{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62081-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897535Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:52.326{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5347A82FE55634BDFC65AF5A56F89004,SHA256=5B5FD9F6654C38F1A5579540233BEB7FD1631EE67F8CA20B127F8E29439DB44E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:53.517{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59397F05F339C766DFE32EAACEEF438E,SHA256=2B739E263369553860960C3EE535619791AC3B9CD6CA6A9F3A38C2363A6067EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897536Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:53.342{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D990C75BDF5A1187533756B7AEE669E5,SHA256=DA69F60EEF2D95F272C348DD40625C5DCD9E5CA516E298AE0D6A9DA0099340EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:54.892{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42BA23D783234BF5BB5FCB9079A54BCF,SHA256=93EC0BD6F804BE1EC62931CD8F173FC3B10F0AE30ECB380D3317185094238F93,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015897538Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:52.384{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51835-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897537Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:54.357{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D8CA8CD1626F444289249504165650,SHA256=1F196ED6E4F60C2EA17CB98495F05C84376B5944F3553F5605CB32871F17CCCA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897540Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:55.388{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D851F3AE63BC4B633FC827B33B26DC56,SHA256=FE2BC62299DE0157039939433583B8B4D56E91A33918B05DBBE584F8F0D40CCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897539Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:55.279{B81B27B7-880A-60DC-1000-00000000C701}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CBF0833892423EF4F73165B9189CB89B,SHA256=9BCB95659F49F815FD7C82DF1F7A1C5562DE7FA90998AB53DC5201A19C97980E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007984947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:54.303{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62082-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897541Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:56.420{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74191B14EC490BB7851C93446219AA4A,SHA256=FFC6B90232AC5C6095369CD8792640D028B6081DAC979F64A78D80897F33C5F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:57.579{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A216214F1BB81E38DE5AD33991A1A249,SHA256=3E56084FF1C21BFC7EEE510864AFE5C832CBF07B1C970AC61139E3CB20D57ADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897542Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:57.435{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F8B074F61E2B21FBCB8544F5637FB0A,SHA256=9DDD3222C87FD86C2F241B3DF58D10CC34CE51935D034E65001B226C2D5A9888,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:58.267{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D1BEE713E1428A98A9F3BF78E1DCA13,SHA256=964BB1CF8EC92F8BC628F6F03E0E6B551715C863EEF63F43E7C9A2ADF260E90A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897543Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:58.467{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D12C753D2801FD7C48874E48C343FC9,SHA256=891305083FA59552AF92E0821957B1D90C8673A9ED61AE4809FD3564C8109967,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:59.001{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFA6F09DC51A12C2AECBD08652AEAFF4,SHA256=08B374ECA8D62617AF4026231F08EDEC7429B9CBAAB484C3BED5524D21A2B8DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007984950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:59.001{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B20DEB6ABC485B325FD89DD9BB9418F,SHA256=EDA362D18BF4EAB86F5441F1D754F854053D8758CA19F3B35CEB5C1AAE2E959B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015897545Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:57.446{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51836-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897544Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 15:59:59.482{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=961C2940C151B72B3E4BFD1DA5256A32,SHA256=56B56F323A5C84DDBB066F116E014E065C82690ACCE162685CBB6D414769E1F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:00.362{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=536379FCB8D2FD21D5FD34D1B4DD9AC3,SHA256=CDB6CDCA793F8EFD33B31BA5EBCACB8D949C6D98D5596761045D17FD4E328F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897546Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:00.498{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48DB2E973D9671EB9F5F1C34C15E4253,SHA256=1C92138CB8F39840AB131B6C1C54E835C6C327E2B4A5C0026DC392ED45BC3011,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007984954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 15:59:59.397{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62083-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007984953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:01.737{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0D18DCD97242C2A92D32342D3233F70,SHA256=88155CE46A92D64B628517EE2AA98990DE9F497CBEC3E437A2C5FE151D44A290,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897547Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:01.513{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9153E5F14BD4A24692AD95F28E3FBA8,SHA256=3B41F621A98BDBF80F28A3980D8DE343A9CE6467FF25114E6BB07271918FC5BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897548Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:02.545{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80FD842C0833DCBBBC06B7B67251600F,SHA256=9E977AE05C40ED397D9DC238D3A5F1AC3077F37DEF6675791D0148C2C6FA0019,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:03.096{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=328763E0DEFC353F7930497AD535E4F8,SHA256=365A93CC2B1D1B06C06798977AB69D51F52667AD8D48FB1B9DB7D39CFC575773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897549Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:03.545{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9A39C2F071AC0105AB70FFDF3B6FAE4,SHA256=415413C4EDC97B42ED0BAF4F4AFBDCA321FC5F3A865589D48C8E168896A54CDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:04.471{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=763B642CF8ED2E978E0E789030743BCF,SHA256=A549970A9CFA054EED435696C5FF70DD2884AC85FFDFDEB443000470E548E60E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897550Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:04.576{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBE3C53C0FB38505FCBE09C2F2834CB0,SHA256=1FCE365A7F3354276ACA4DBD44B353DA13CD041C818DE5C02F91F6D6B3F52821,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:05.831{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60DCD17AA2AFABC4D9D07F918E329DB5,SHA256=691D48FE94795425296EFF407AE566DC42BDAD787833A1D78C281D316D9234AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897552Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:05.607{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1393FC24BF74B1ACFF5C3D81BC8573EA,SHA256=AA4FBC134FEBE315E24106E3754980AB772AB179E8118ACD23681E7430514D38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897551Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:02.571{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51837-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897553Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:06.685{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E1E4BD9C1618741E07308AB030D9413,SHA256=E841321DD91C975E532906B8237B97149618BC505379FF75A56548B41FFE406C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:07.876{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDDB8E4C74B1C3E8E3C01E2F10E55F5D,SHA256=1C12E241AD0969E4E16B2CDAD5BB55E865C3C329DDF461762DFF827FDF410BAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007984959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:05.398{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62084-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007984958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:07.204{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F312EA51FA8A5A176AE3414CF9C0B5,SHA256=022F59641F5E51E11B6FFE9057A302A4172C4EBC69DA54A6870D6428A296E927,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897554Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:07.732{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84F9ADFE2DF78DE6D44E177313C61522,SHA256=FF8043F5A945844A1B0B30679A7B1921B14DD1770E58F5E4DC405C9993358304,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007984963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:06.634{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-128.attackrange.local138netbios-dgm 354300x80000000000000007984962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:06.634{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-128.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x80000000000000007984961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:08.563{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B7BF40A8DF7DDCCA78A195DBF95A5AE,SHA256=882E9773246AC997343691E2C1172531DD5089A041D3C589AEAFFB70C88A430C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:08.747{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F5698A83348A1B78AC5BE2C290A3B2,SHA256=7EB56F0037E841A42286AF106AE1EB8F1D449288C01962C5D7738E32947CCA4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:09.923{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3125857B56653B64843E60768E227BEF,SHA256=B95222A372C6498B27D8D528C090202862660D91F10ACAB196FAA1E3386336A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:09.763{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CA9FBA354A1BD44C7F7A3AF94692712,SHA256=AB1ABF3E2203893683305C34E270B7CF1744AF9CF20C58899F69CA4AD62553B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:10.779{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31D1600127EE4778003C5EB2E57B4353,SHA256=5BD17E8708CE31D10348B1C6625FCC46FD74E59011BB3232F067D6369C53995B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:08.336{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51838-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007984965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:11.298{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5BFCAC48D1D1BF092D8C9DA5BF0973A,SHA256=74C42D29194F56D28E85066FD3173E78BBB398D7A5B4B32434EB2534C300EB26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:11.779{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F89154B8790ADA12D7350C513032B0CB,SHA256=BD2495AC04CF9433CE9470CB81A9150714CA6F1AA4571AF40BFF8FA6E3E2D770,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:12.657{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07674A477986F5F8894A452B84A97D5B,SHA256=52108DE8B583C72FD550939D65B959785655CFD06E1A9D0011B765382C9825C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:12.794{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E3827E7D94F9E141FC9C206B532A57F,SHA256=F6885662C1668D93854D4340C2061E98971ABD7B534A2464CE2450BBD7480705,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007984969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:11.412{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62086-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007984968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:10.693{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62085-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007984967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:10.693{3BF36828-DD1D-60DD-2F00-00000000C801}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62085-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x800000000000000015897561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:13.810{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFBF9DA38C346B57D04DF6E8166A0A1F,SHA256=89FC346C04F925D7D7DBB9E577F6D9DA4E54FA17EBB6E8387242522952D5A406,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007984970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:14.032{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=117CB49BB5B979252F8DA9567A8B8B4C,SHA256=61B413E781677E17F54687A8DA11A48DEA3ADBE1ADDFFABA8442AF066A41D42A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:14.810{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF3E602504B7D14C42CA010148D2FD26,SHA256=7B4E755F2F4A88FD242AED08C04C5E5656166D12FF6C8C30E1B63D22AFAE8840,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007985027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.517{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007985026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.517{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007985025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.517{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007985024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.407{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007985023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.407{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007985022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.407{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007985021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.407{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007985020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.407{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007985019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.407{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007985018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.407{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007985017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.407{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007985016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007985015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007985014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007985013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007985012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007985011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007985010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007985009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007985008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007985007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007985006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007985005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007985004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007985003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007985002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007985001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007985000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007984999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007984998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007984997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007984996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007984995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007984994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007984993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007984992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000007984991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007984990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007984989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007984988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007984986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007984985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007984983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007984980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x80000000000000007984979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007984974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x80000000000000007984973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A063150FDA49E3AD796B5FF00963BD54,SHA256=273BD3047E0610A233F24BD54A857DC5F9EDC873BCB51722B313AA970AF33F36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007984972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.392{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007984971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:15.393{3BF36828-E68F-60DD-B401-00000000C801}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:15.857{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F5A4240DC954A73FCCC831F3793FF5,SHA256=9FAA18BFD7E7BC50F93419991272B6272D35E19674DE6BED6A5872FFD2360E87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:13.430{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51839-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007985084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.767{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C21376420DF229C20DC615485079301,SHA256=00CBDFA6CFC72095602243A070D6ED6127D32C97DF22D8291C48A81CD8A9464E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007985083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.204{3BF36828-E690-60DD-B501-00000000C801}10841856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.204{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007985081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.204{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007985080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.095{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007985079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.095{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007985078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.095{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007985077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.095{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007985076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.095{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007985075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.095{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007985074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.095{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007985073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.095{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007985072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.095{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007985071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007985070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007985069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007985068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007985067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007985066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007985065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007985064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007985063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007985062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007985061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007985060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007985059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007985058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007985057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007985056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007985055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007985054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007985053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007985052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007985051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007985050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007985049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007985048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007985047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007985046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007985045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007985044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007985042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007985041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007985039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x80000000000000007985036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007985029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.079{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007985028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.081{3BF36828-E690-60DD-B501-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:16.872{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F3D34EDC1B4CC3DE67D6184FB3FE92,SHA256=2144BC14046930333540B513CFBF792599A9DF6BB407B7A5617A3CCFD29B7A96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x80000000000000007985089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:00:17.485{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\D370F6FF-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_D370F6FF-0000-0000-0000-100000000000.XML 13241300x80000000000000007985088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:00:17.485{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CA735696-6C26-4910-BF98-1B50C97DCBCC\Config SourceDWORD (0x00000001) 13241300x80000000000000007985087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:00:17.485{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CA735696-6C26-4910-BF98-1B50C97DCBCC\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_CA735696-6C26-4910-BF98-1B50C97DCBCC.XML 23542300x80000000000000007985086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:17.439{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79C298CA703F654740E65794FC63C846,SHA256=BAA5310B728A2B4A6EFCEF76737593CB4162A319A418EA71BFC9DE8092DDB5FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007985085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:17.439{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=926FCDC70D32DEA6C000AC3E2CDFDB6C,SHA256=4877CA9A3B047D0AA6AC3681D6B11313EAD1BFD1DE01C1DDBF9ED00F64A60613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:17.888{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE99FEF4939FFA2F8AF7EF378040BC81,SHA256=ECEF22B51D7BD9FCBD2726F9813CEE48EE7ED741303C0F0C79336C668B825D21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007985094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.721{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62088-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000007985093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.721{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62088-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000007985092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.709{3BF36828-DD0D-60DD-0D00-00000000C801}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62087-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 354300x80000000000000007985091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.709{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62087-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 23542300x80000000000000007985090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:18.126{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2492737F0DB2E02E93F10F71D7E67A7,SHA256=C3EDCE9756EDD840FC13684620C36855C580B9D6DE4DA9A88A9CD8F7DFFB9E9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:18.935{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4AC1327BB6E1EE8C58A8A2EBA48DE64,SHA256=4CD196B3042DE8541A3BA5895EA9A367C951D4470B60842C686DAC117DCBB7A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:19.564{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF6488D3A43127094EB00BF13CD296A0,SHA256=1E5F2BA64A07DB42A4DEEF7AB2F43F4E34CD7F2E63F1B270F9310F9644682ADC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007985096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.726{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62089-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000007985095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:16.726{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62089-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 23542300x800000000000000015897568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:19.982{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13C19B2B7BE7CD44A30FE4CBB8CA5C93,SHA256=C900CF09393DC6B9702DDFA555617BB68341DB492406AD62C9A9613AEEA88AA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:20.767{3BF36828-DD1D-60DD-3000-00000000C801}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007985122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:20.564{3BF36828-E694-60DD-B601-00000000C801}4696C:\Windows\System32\wermgr.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007985121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:20.564{3BF36828-E694-60DD-B601-00000000C801}4696C:\Windows\System32\wermgr.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007985120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:20.564{3BF36828-E694-60DD-B601-00000000C801}4696C:\Windows\System32\wermgr.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007985119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:20.564{3BF36828-E694-60DD-B601-00000000C801}4696C:\Windows\System32\wermgr.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007985118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:20.564{3BF36828-E694-60DD-B601-00000000C801}4696C:\Windows\System32\wermgr.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x80000000000000007985117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:20.564{3BF36828-E694-60DD-B601-00000000C801}4696C:\Windows\System32\wermgr.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007985116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:20.564{3BF36828-E694-60DD-B601-00000000C801}4696C:\Windows\System32\wermgr.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007985115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:20.564{3BF36828-E694-60DD-B601-00000000C801}4696C:\Windows\System32\wermgr.exeC:\Windows\System32\wer.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=65C4FEDB972CDE71C2AF0F5AFA1C1C15,SHA256=63C1A7AC782F15980F47972E5B481C2E80EBCD1A2A497EAE93F469BD266CC638,IMPHASH=64F80A25C9178937C2771969A7448641trueMicrosoft WindowsValid 734700x80000000000000007985114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:20.564{3BF36828-E694-60DD-B601-00000000C801}4696C:\Windows\System32\wermgr.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x80000000000000007985113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:20.564{3BF36828-E694-60DD-B601-00000000C801}4696C:\Windows\System32\wermgr.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007985112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:20.564{3BF36828-E694-60DD-B601-00000000C801}4696C:\Windows\System32\wermgr.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007985111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:20.564{3BF36828-E694-60DD-B601-00000000C801}4696C:\Windows\System32\wermgr.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007985110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:20.564{3BF36828-E694-60DD-B601-00000000C801}4696C:\Windows\System32\wermgr.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007985109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:20.564{3BF36828-E694-60DD-B601-00000000C801}4696C:\Windows\System32\wermgr.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007985108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:20.564{3BF36828-E694-60DD-B601-00000000C801}4696C:\Windows\System32\wermgr.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007985107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:20.564{3BF36828-E694-60DD-B601-00000000C801}4696C:\Windows\System32\wermgr.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007985106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:20.564{3BF36828-E694-60DD-B601-00000000C801}4696C:\Windows\System32\wermgr.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007985105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:20.564{3BF36828-E694-60DD-B601-00000000C801}4696C:\Windows\System32\wermgr.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007985104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:20.564{3BF36828-E694-60DD-B601-00000000C801}4696C:\Windows\System32\wermgr.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007985103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:20.564{3BF36828-E694-60DD-B601-00000000C801}4696C:\Windows\System32\wermgr.exeC:\Windows\System32\wermgr.exe10.0.14393.4104 (rs1_release.201202-1742)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerMgrMD5=CDACB50345D70AB9D6AAA8C00C1D08CA,SHA256=95F57395CE1C04DAB609571CE86E48D1DBFA81CAFCD9D724EAA9AC6DF2ECF4DC,IMPHASH=6DC2C72968365A54FACC1F52003C32E9trueMicrosoft WindowsValid 10341000x80000000000000007985102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:20.564{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E694-60DD-B601-00000000C801}4696C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007985101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:20.564{3BF36828-DD0D-60DD-0F00-00000000C801}3442024C:\Windows\system32\svchost.exe{3BF36828-E694-60DD-B601-00000000C801}4696C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:20.564{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:20.564{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007985098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:17.396{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62090-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000015897569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:18.539{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51840-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007985185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.673{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0858436A286E1E23E057A0F52F3BFC13,SHA256=7FAD1BA410F77D2CF36659F3A032B0EC4C170BAD75DD3D3E263D852E77D0F4B2,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007985184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.126{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007985183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.126{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007985182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.126{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007985181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.017{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007985180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.017{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007985179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.017{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007985178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.017{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007985177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.017{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007985176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.017{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007985175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.017{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007985174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.017{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007985173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007985172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007985171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007985170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007985169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007985168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007985167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007985166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007985165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007985164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007985163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007985162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007985161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007985160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007985159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007985158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007985157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007985156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007985155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007985154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 23542300x80000000000000007985153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=624B76D0BCC460D0AAFE0D33A1C21554,SHA256=A8243133B7BC63715D7CA1ED0A4156CCA144AFE3981722A2592097D5F75BFC5B,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007985152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007985151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007985150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007985149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007985148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007985147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007985146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007985145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007985144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007985143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007985142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007985141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x80000000000000007985140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007985138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007985137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007985134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x80000000000000007985130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007985125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.001{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007985124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:21.003{3BF36828-E695-60DD-B701-00000000C801}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:21.013{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D98F0753960F7F69DAFEE5C5E99267,SHA256=2496B80235406B7BF5C2EB8CBC2FC312404F8875AB945FF7F5633312265602F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007985202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:22.986{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:22.986{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:22.986{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:22.986{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:22.986{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:22.986{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:22.986{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:22.986{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:22.986{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:22.986{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:22.986{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:22.986{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:22.986{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:22.986{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:22.986{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007985187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:22.376{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A4E482DD6C98F4F261A987B646A039,SHA256=0B3262678848C9A8CE0FBB45D72A158473BE038B8BFD7D1BD3C55CE35B4A6E48,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007985186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:19.974{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62091-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015897571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:22.029{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=205B9E0199F0440738213D3F72A56D5E,SHA256=593FD794C996C02ACB778EB326D3B0030BE03615F60DA9FD92F9EF124FBDCC3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007985320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.892{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007985319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.892{3BF36828-E697-60DD-B901-00000000C801}29201088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.892{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007985317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.892{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007985316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.782{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007985315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.782{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007985314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.782{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007985313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.782{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007985312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.782{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007985311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.782{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007985310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.782{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007985309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.782{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x80000000000000007985308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9622657580ED09B620549F799291E5CA,SHA256=7EB2D9396010A07510A25038FB616C84CDF496F97F54212D4200C80182B74647,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007985307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007985306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007985305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007985304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007985303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007985302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007985301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007985300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007985299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007985298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007985297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007985296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007985295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007985294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007985293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007985292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007985291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007985290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007985289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007985288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007985287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007985286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007985285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007985284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007985283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007985282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007985281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007985280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007985279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007985277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007985276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007985274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x80000000000000007985271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007985264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.767{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007985263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.769{3BF36828-E697-60DD-B901-00000000C801}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007985262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.189{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007985261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.189{3BF36828-E697-60DD-B801-00000000C801}50804420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.173{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007985259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.173{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x80000000000000007985258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.095{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.095{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.095{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.095{3BF36828-DD0B-60DD-0B00-00000000C801}6522840C:\Windows\system32\lsass.exe{3BF36828-DCF0-60DD-0100-00000000C801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 734700x80000000000000007985254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.079{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007985253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.079{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007985252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.079{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007985251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.079{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007985250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.079{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007985249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.079{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007985248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.079{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007985247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007985246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007985245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007985244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007985243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007985242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007985241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007985240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007985239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007985238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007985237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007985236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007985235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007985234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007985233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007985232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007985231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007985230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007985229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007985228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007985227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007985226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007985225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007985224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007985223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007985222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007985221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007985220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007985219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007985217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007985216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007985214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007985211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007985204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.064{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007985203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.066{3BF36828-E697-60DD-B801-00000000C801}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:23.044{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A78DDBEFF01AC4D94CD2ADA293A4241,SHA256=D871F33029D89FD9F597532E77281705F89FAA6CC33E5B0ED91F7E31A661A7F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007985381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.642{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007985380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.642{3BF36828-E698-60DD-BA01-00000000C801}5008332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.642{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007985378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.642{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007985377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.532{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007985376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.532{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007985375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.532{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007985374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.532{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007985373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.532{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007985372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.532{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007985371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.532{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007985370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.532{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007985369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007985368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007985367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007985366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 23542300x80000000000000007985365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD56BB1732EF80A3DD1CC438CC85D678,SHA256=7804E48C083F4BCB5204285F437DD357CBC65FAD5BF19882D4E498B6393A12F1,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007985364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007985363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007985362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007985361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007985360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007985359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007985358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007985357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007985356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007985355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007985354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007985353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007985352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007985351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007985350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007985349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007985348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007985347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007985346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007985345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007985344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007985343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007985342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007985341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007985339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007985338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007985337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007985334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007985326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.517{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007985325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:24.519{3BF36828-E698-60DD-BA01-00000000C801}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007985324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:22.219{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-128.attackrange.local62093-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x80000000000000007985323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:22.219{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62093-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x80000000000000007985322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:22.212{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62092-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000007985321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:22.212{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62092-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 23542300x800000000000000015897573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:24.075{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C28C2E90962CEFC21AA2A018A4E24930,SHA256=527FE75D5A47AD22834714C958B82D8A0F4074A5851B909DF6E6A5A27AA6B3A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.892{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A60527B573FAF3987B50C696567FE74F,SHA256=63540A2719FA24F9796B0B625BFAADCDFDC6C7AAFE370E0B256F8931FE6E2C8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007985439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:22.320{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62094-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 734700x80000000000000007985438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.329{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007985437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.329{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007985436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.329{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007985435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.220{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007985434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.220{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007985433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.220{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007985432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.220{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007985431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.220{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007985430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.220{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007985429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.220{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007985428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007985427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007985426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007985425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 23542300x80000000000000007985424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA79EFB7C5B65E873A200EC4938E120,SHA256=532A54E0A8B7AFBA1391A8D5D203CE10D887E82B21305B3541285AB23DA07C97,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007985423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007985422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007985421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007985420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000007985419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007985418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007985417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007985416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007985415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007985414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007985413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007985412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007985411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007985410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007985409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007985408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007985407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007985406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007985405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007985404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007985403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007985402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007985401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007985400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007985399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007985398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007985396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007985395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007985392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x80000000000000007985388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007985383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.204{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007985382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:25.206{3BF36828-E699-60DD-BB01-00000000C801}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:25.091{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FE26D7A3BD3FC166577A9655406AC9D,SHA256=006CFF1E1B0F78D32BE68F998DE55BDAE023A4C4924C8ABB0F784513A2E1E129,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007985442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:23.411{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62095-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007985441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:22.321{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62094-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x800000000000000015897576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:24.414{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51841-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:26.122{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D13FA536888D17AAF82041077D5D3BC,SHA256=1087988FDDB41B1DCB55E13A8BECA2171E77A30BD4952FCE069464F1C6E40B03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:27.128{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69CC53A77697AD07E63B57C0CC101A9D,SHA256=5779C7740BD4CDDC70CF5C35DD2837210068190B1345677ECD6AEBB76CA0B7CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:28.928{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02F98BAD1CF6253ABD26279AF39449F7,SHA256=4D4E0F9D7E21FA3902F3359B9C9C60DBC58B5E109A446E4FDAAF016F6359F437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:28.268{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:28.159{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92B8C508B0B083A7F2F5E8FDDE87C74E,SHA256=8971E47759D54C2F01982A461E0A092A923882AE1760ACC8488034D79B97A0F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:29.350{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39CEDE62720AA7489A74A3EBA055262D,SHA256=AA0DF2A4E95B107B4C48466CE9AE0F84F057E19372CAF1335CE3747D708BC8D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015897581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:27.560{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51842-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015897580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:29.206{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C1767E0371F3DC4A6171E9070D7553,SHA256=6288E49B50E0C26810145551D6419D31BF292C3304C5BA9FD6B7859E9ACC0C7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:30.913{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=544C6ADF078F428A9EAC5A6E97E41C4C,SHA256=9C8547292985C20713A4284565B744B2E4F2A168FFFF1CCF3AC27FBD500E1BD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007985445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:30.163{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B73E17DE6AD2F1B23E35D58F3DF54DCE,SHA256=C05A85F0B10734AA0CBB83C2CCEB0AE1D908A5A7D27C526207D9F5C3B69B97F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:30.253{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B2832F5DBCA75C1E3B96C443968B452,SHA256=CB60A71FAF99A2FE4F865DBD040EBA78DB6A4F0CE2B31430CC9851E45A9DE593,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:31.678{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37CAE14B23EEC4C3E823B9165A8B6210,SHA256=43810EC9E4DD9FE2D60283DD21BEF18898F50F4643C171132A10A087C2BC2819,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007985447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:29.432{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62096-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:31.268{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DAB4BBF45FD352EB8862ED55E382C77,SHA256=B41BAD5307F69596B85DF7A99E36C00C25978E6683F7BA230C3500AC4A816F16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:32.284{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D52EC993A883AEF5878F66DC7831C9F0,SHA256=8EADAA49B70B27D6A6F5379B0D4C98653DB94B2A69BBDE4FFBC3A344FBB88177,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:29.482{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51843-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007985449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:33.053{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B14EEEEE33F2A6CCF6337E49251F1AF,SHA256=6C91387DABB065D719B6B09F963C60B905235D31CE4E03AC5E547FD7C2D37FA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:33.331{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B630AB86EB2F6CFDC18AADA81FE176,SHA256=6530A07F1955948C42788AAFB0E32E6DCB07670D14F34D80884D4D90934271EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:34.413{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F19A57A9570AFC2257852367D422F336,SHA256=0BAB4353646E3BB67C8B49A31C06737A0EC556068B3B804377B0CF820D829B37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:34.346{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4EA0B09D15B8EE1D35C6B06F26F309F,SHA256=5CC816F013AC16592F3659B785693F458F1E1C5D9ED1C663DE71202193BD7CA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:35.835{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79C9C8505E4FB5068A412BA019FCEF7D,SHA256=871DE0C9C798E92147A44076CABC27044330D426F8E8C769624A680FDF4F9BF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:35.362{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA3F99B459E2AB3AD5DAC2697741174,SHA256=FE7A7F73AE87DC72CF92FEDC5154670BE8D35448AFA57BB1E890B556C3FE00AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:36.378{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A97C1B8E988FBFEA2E35EB3668C06C22,SHA256=1D68D04142E6A90DB0504DE2C86B319ACEC4DC9B0D6603EB39B7E26BA44C9E45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007985453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:35.447{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62097-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007985452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:37.194{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC19A5EC9F179AD0545A5DADCFF3E1DF,SHA256=113ECFC1F1608F56803BB08177E38BB27E297C6349ABC39168C1CCA6DF3F4D0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:37.409{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=962FA1C737A05834EEB39101BE219B4E,SHA256=D78B4165A32A7EE4D7DB9BDE23729B5054B66D23C16BFB2D0C13BAEA16292D7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:38.569{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C5B48190B4448714EA53A2A957607F5,SHA256=6E91D35203D71A3617356E6AEB3FB0808D9C69E00D8B49423AA2AA2913F52320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:38.409{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B04AE2E9B56C94C9C1B0288F4884560,SHA256=2C0261B4E25A595A94648C842FFFB90BFEC74E54C1AE2772A45B1F8B5DCB9EBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:35.498{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51844-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007985456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:39.942{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=893FC6A1605A8C618D7E87F01350866C,SHA256=01E43C3AD40B05902A23475B994EDD952592608E0DD034ED59153113C96E63E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007985455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:39.942{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1C8BB926C502E9D40826A72D72ED63D,SHA256=3CE20526A8AEB1B08887C2192FE196CE4B8A33D44FDAD3A7321E7FC2C9454294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:39.503{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3543C290E6C256D7EBE321EAAFD77144,SHA256=C30DA42CFE8BEA4D2FBC2ABC449E75CD7A1F143E0277E0D2CB706E15FCAC8B7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:40.503{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=757BFF8519CE04E6E6C12468CE3A4453,SHA256=6EF871FFE41577977B4941A5C07A138A2A805948C2CE622E240A4413905B9A26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:41.304{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33991C8D771228A0C9273F22F515DD90,SHA256=D576286EAB97D0C1200E341D27D2B918D5855E39243D3CFA123E47388538EE44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:41.534{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88D36F8EBCDDC8B3B8AF9E9A3A3088F1,SHA256=BAB824F16A032397BBD8979BCC92F52A98E968A5A6E234C58A3D983BB419D385,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:42.663{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8E6CB7B5005E5B90C9BD9F68C849F96,SHA256=29EE5C93EFD383F60DE18B0645271725C4F508A64A84FDF30B3693627A18EB03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007985458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:42.319{3BF36828-DD0D-60DD-1200-00000000C801}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BE1ACEEDDE16CEE2000EA74BA9008DFD,SHA256=D5E27BB5DEF3AEA70339E85740E399537B31A90F5BA93A750D283882B8A6AB4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015897609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:42.924{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E6AA-60DD-FA29-00000000C701}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:42.924{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:42.924{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:42.924{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:42.924{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:42.924{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:42.924{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:42.924{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:42.924{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:42.924{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:42.924{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E6AA-60DD-FA29-00000000C701}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:42.924{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E6AA-60DD-FA29-00000000C701}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:42.926{B81B27B7-E6AA-60DD-FA29-00000000C701}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:42.534{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B161FEB80318B9156BDB1C95A4DC96D,SHA256=45527559B34C3510643CD17615D55330A9D075A3FCB65F367BB85AE72ECA41C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007985460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:41.447{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62098-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897626Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:43.940{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5962410C68D1F00883BF318CA0749B14,SHA256=862444562F5C39745C326B6C8CC794DDDE291C28A6A0652DE09EB559E19B5758,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897625Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:43.940{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9625543AF4FCECF3B1F6D4AFFE4134C4,SHA256=097467E509A562CFD816C13E2502CA22E11B292D777B5B712466A8AEB25766DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015897624Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:43.596{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E6AB-60DD-FB29-00000000C701}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897623Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:43.596{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897622Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:43.596{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897621Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:43.596{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897620Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:43.596{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897619Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:43.596{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897618Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:43.596{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897617Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:43.596{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897616Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:43.596{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897615Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:43.596{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897614Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:43.596{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E6AB-60DD-FB29-00000000C701}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897613Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:43.596{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E6AB-60DD-FB29-00000000C701}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897612Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:43.597{B81B27B7-E6AB-60DD-FB29-00000000C701}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897611Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:43.549{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91DD8565AB6571265FDFA357987A3365,SHA256=05CCB948D2AD3E03F4EF5E7FD3AA5FDEC04B69657E3E0665F794E2FF89531AE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015897610Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:43.081{B81B27B7-E6AA-60DD-FA29-00000000C701}31762504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007985461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:44.038{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9CA62353428C030AF9869139633BFE9,SHA256=63A63383963D000F01AA73A24B635DB00C855122E237CF628A56F180EFC66F7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897641Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:44.690{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B823BAEE593DFE207B3AF7B19A89090,SHA256=148B429DC4351C8C56978592BFF34158F825270BF08933D0B79A5F4D0832DA0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015897640Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:44.268{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E6AC-60DD-FC29-00000000C701}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897639Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:44.268{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897638Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:44.268{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897637Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:44.268{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897636Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:44.268{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897635Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:44.268{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897634Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:44.268{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897633Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:44.268{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897632Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:44.268{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897631Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:44.268{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897630Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:44.268{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E6AC-60DD-FC29-00000000C701}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897629Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:44.268{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E6AC-60DD-FC29-00000000C701}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897628Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:44.269{B81B27B7-E6AC-60DD-FC29-00000000C701}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000015897627Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:41.482{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51845-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007985462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:45.397{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD7EFEA4601D880ECAB4069122124B4D,SHA256=CC2B6A1398E5DF993C4AFB15DBB629DF26B09D17909D8A7F7D4983808AA6B7E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897643Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:45.690{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA5DEBE0698596F61AD17AAB253A1FC7,SHA256=AE307EDEF00514A4D83F27CFEBC24622E4881D296D980EEFC5F730A10D4AF93A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897642Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:45.487{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5962410C68D1F00883BF318CA0749B14,SHA256=862444562F5C39745C326B6C8CC794DDDE291C28A6A0652DE09EB559E19B5758,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:46.757{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8612797F48EB329A807B4FAC306BAE0F,SHA256=F429DFCBE97FF3312091B8F5E9CED6FE58E26F1F88F0CB503E240A973BA22455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897644Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:46.699{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E585674813859B7258D8B5402B7F2566,SHA256=3641FE3B08D607ED158496FE8E525F18F277478F2B0714D02775176612CE9B64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897659Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:47.725{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBE8C5CE91FF5232441DEF770F6F26D1,SHA256=B31A0BC917A8B6CAB559A5172ADBD01F488DEA71C32C56A0D3B34DEA084434F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015897658Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:47.503{B81B27B7-E6AF-60DD-FD29-00000000C701}56004572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897657Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:47.331{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E6AF-60DD-FD29-00000000C701}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897656Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:47.331{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897655Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:47.331{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897654Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:47.331{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897653Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:47.331{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897652Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:47.331{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897651Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:47.331{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897650Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:47.331{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897649Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:47.331{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897648Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:47.331{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897647Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:47.331{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E6AF-60DD-FD29-00000000C701}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897646Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:47.331{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E6AF-60DD-FD29-00000000C701}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897645Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:47.331{B81B27B7-E6AF-60DD-FD29-00000000C701}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007985465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:48.804{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B9265CAE0A6FB87566F8342A57860B8,SHA256=BA19453A5B9E04C8A47B1EC026DD97B154F324B84AA5A382DB84B89EE3622536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007985464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:48.132{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30DB9226D395EDD0B252D09D58423D3C,SHA256=8BD9CCA02D2672C2CCC184FD9B2E13106076AFE66B84B4A9753688F988E93E2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897688Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:48.803{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F69E292EA4E4E1096DD3FDA59BAC012,SHA256=5EB6FE9738B5E5A4D9BD929AFF13D34DB153781BF8747AAE77B004D71E0CA792,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015897687Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:48.678{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E6B0-60DD-FF29-00000000C701}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897686Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:48.678{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897685Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:48.678{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897684Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:48.678{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897683Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:48.678{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897682Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:48.678{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897681Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:48.678{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897680Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:48.678{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897679Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:48.678{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897678Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:48.678{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897677Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:48.678{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E6B0-60DD-FF29-00000000C701}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897676Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:48.678{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E6B0-60DD-FF29-00000000C701}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897675Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:48.678{B81B27B7-E6B0-60DD-FF29-00000000C701}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897674Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:48.334{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3092311EC0647428A9EACE26D58FF108,SHA256=AE8438AFA8A445E81A200DA23D8BD29294BBFD5DBA13D6784860604DD7310ED9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015897673Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:48.146{B81B27B7-E6B0-60DD-FE29-00000000C701}14365912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897672Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:48.006{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E6B0-60DD-FE29-00000000C701}1436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897671Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:48.006{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897670Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:48.006{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897669Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:48.006{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897668Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:48.006{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897667Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:48.006{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897666Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:48.006{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897665Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:48.006{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897664Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:48.006{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897663Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:48.006{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897662Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:48.006{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E6B0-60DD-FE29-00000000C701}1436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897661Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:48.006{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E6B0-60DD-FE29-00000000C701}1436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897660Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:48.006{B81B27B7-E6B0-60DD-FE29-00000000C701}1436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007985467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:47.369{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62099-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007985466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:49.491{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AEC45D37899B0E4F26903B3F64866A0,SHA256=1B5883EDBA1FA1567D6205F3079F2E589B52D1DFF6A9BBC8648F50FA6424560F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897705Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:49.912{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B950838CD35F35E94028A3ED4594F6C,SHA256=507C721A75EC921C2F81CD2978C309B5F4872C6F000E519D85DA546E147F627B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897704Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:49.803{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=525981FE0E02ED05392F55D2F7A074C0,SHA256=FA7A05078E2E1515962204B5B0CD58F0467416F7E2F679B9847F4DAD292B3361,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015897703Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:49.506{B81B27B7-E6B1-60DD-002A-00000000C701}14082728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000015897702Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:46.529{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51846-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000015897701Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:49.350{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E6B1-60DD-002A-00000000C701}1408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897700Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:49.350{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897699Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:49.350{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897698Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:49.350{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897697Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:49.350{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897696Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:49.350{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897695Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:49.350{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897694Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:49.350{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897693Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:49.350{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897692Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:49.350{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897691Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:49.350{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E6B1-60DD-002A-00000000C701}1408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897690Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:49.350{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E6B1-60DD-002A-00000000C701}1408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897689Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:49.350{B81B27B7-E6B1-60DD-002A-00000000C701}1408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007985468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:50.866{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5918EDAF0B04EC80BC285DBFFE7F5D32,SHA256=1061E79CBB2BFD446DCDEB607FE407938D2876986FD936A8872CB550679F87CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897706Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:50.818{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7DD57E861339FB8E96DD3B8E37DED55,SHA256=AFD0364137305A1281275265C4B35912F0FA58056764E2245D55CBCE9A2F4145,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897707Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:51.818{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E16E28F17590C3D8A4CC4CDA0E11B1C7,SHA256=249A75141D8E3B8D2F266E71EB74FCFC71F9F9CE66725E10E6CB703A8E9F4C08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:52.226{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=349C5B31C12EA66DF635712A6F51DCF0,SHA256=0ACA28CC0838CC2FC0B1C157B472B5015C8256072106017E7573D188AE421945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897708Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:52.834{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C40C575034DF543FBF35DC5457924CD4,SHA256=D889A92A9145F73F2C24E965910B38FB1B5EC204C77909B1FFACCC375606509D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:53.585{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D178CEED16DF6C0F51AA00CDFBE7BE2C,SHA256=2F63C9587E785D0190ECB64BD11542D05690DD3EF9737B449C7CD353339E2CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897709Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:53.850{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E533B4B7DC0EB0ED3DF7530D465D3D4C,SHA256=5C58735E996EFA6AC24847F6835CD594D91EB2108CEFDEFEC718811477302A3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:54.960{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26002BAD17041A58187C99F575E9480D,SHA256=4FDCEB50B45CF53DE3DAB971B8657F44CCDA9DF392CC41BFE9AAE7480423BE86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897711Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:54.865{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A690764C55B6A56A8BC3E1C292E88168,SHA256=BFA99963A389A8E9932E47708C2F46670388BF1BBFD2401BAC992375E7600AF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897710Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:52.391{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51847-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007985472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:52.369{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62100-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897713Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:55.865{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3B8DBFD57EC0C4D42CCF514CBB8F85,SHA256=A359978D04FB65917780CCC1E3D4B41D92791AAB60AAE5047E7791352964DA23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897712Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:55.287{B81B27B7-880A-60DC-1000-00000000C701}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0C8E1E8072AF0C9FD5460E9A1C5D4108,SHA256=BE9AD057378DACBFCBD780490D7482E8ECA45DA6F25A3260230ABAFBA6188C5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:56.319{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=058EC0F65650A0F503CFF4161D8E4C62,SHA256=4296A921BEB30941BD7BCCD3B7B7D78DEF51FAAD445CAA1CB8D41C4DB6804D00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897714Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:56.881{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FF144DF2159796939A845896347451E,SHA256=E3B0AEB5389377F6BBAA527C8BC1229D7AB1B7014DAD5954FD2C1C4595BBAE10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:57.319{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D80C4BF6F60A80261E4D0D0833E415,SHA256=5E349E2BEB6A5B141BA1A41228D4C4789C4DB279774F3721D34DDD4A0BE4F06F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897715Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:57.881{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=584A6E9FCEDF4F36BC57D2ACE19994BB,SHA256=AB6EA7E90575F17A1CE4D0C40AD87989E7CAE056D03AC88E56D0A9A7424C34D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897716Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:58.896{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DE3319CCA082E3BA93E364379CC2086,SHA256=88B67EEC560BC26CF88B02753FDEC5B52B1C2A34FFBA4ECEFF2DCDE15E1CDC01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897718Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:59.912{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA259416C710E104398CC2A1C643516,SHA256=2CC92CDA675E982C50F1007BC91B8D80510694A236B7A6B90E8F43CE020C6E24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897717Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:00:57.391{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51848-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007985477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:00:57.463{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62101-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007985476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:00.023{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56EA9D65A09CAB4441E887E960585E9F,SHA256=8DD0162100BCE2FFD934C4FED4D3EC4225450EC7AF7728C1A768FB7EDA5E15F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007985475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:00.023{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A1BF93FF9E03ED32064F69810F8F4BC,SHA256=7B1E6362F786CE4AE17543EABD6DFB6A7EE4A2AFF4EF93327E2B7933B311CEED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897719Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:00.928{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=281CA1024D2F8FCDE2B9532F13A40AD0,SHA256=8E8549D1D62816B89C8A21CFB76683EF8BCA6A530C21E8F3D8300EF7949BDFB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:01.444{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3508B4CE66A224AA8539849C61AC8B17,SHA256=2248F9485B35732932B9EBBB08A9D6A0A5ED11337C1DD702CFE6FBF5D9CE679B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897720Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:01.943{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA9481C353384FAB3B0CA3DD2396780F,SHA256=12503DE501926E2ABA7C4B1E9ACBD5FB6A5EF035666F380E9AE206FDC34F9745,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:02.804{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D22D8C0387CC973AEB873B319C317BB,SHA256=79F706D3B7B554072E4A8964E9F2F7ABEB6C180B79BE54180482B530DC49ECAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897721Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:02.959{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=659B7CDB203110CC2220EB89CBE01A81,SHA256=D4122AAB303B7B2E16228883D0ED63B209B2A6ABAFA714DA89D341AA37C5B7EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007985486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:01.482{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local53610- 354300x80000000000000007985485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:01.482{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local52112-false10.0.1.14win-dc-128.attackrange.local53domain 354300x80000000000000007985484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:01.482{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local52112- 354300x80000000000000007985483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:01.481{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:9840:b51e:8f82:ffff-52112-truea00:10e:0:0:0:0:0:0win-dc-128.attackrange.local53domain 354300x80000000000000007985482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:01.481{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53342- 354300x80000000000000007985481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:01.480{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local50899- 354300x80000000000000007985480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:01.480{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local50899-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domain 23542300x800000000000000015897722Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:03.959{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=870F9BDDDE674BE5EE654D05A5E92488,SHA256=9D6F2292DCCD7B98AE2D266A6E94839B862174F9BE314FF9AD05BBCF0939062F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:04.179{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC4D6F40DD75C064981C1718123B44F9,SHA256=D2A76D7E756A214C60137572A9F72A6F3AD9C925EC396B974E2B57016B715291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897724Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:04.975{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2104BDC2DB5A7C2481E519CCEB36B8E4,SHA256=11163920214F9A7E1B77BD6E151BB20BE7CB314D61E3A19949C334DBC20BA8AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897723Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:02.391{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51849-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007985489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:05.538{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60ED7E6252693A2C000D3DC5AFA10261,SHA256=D6D394FC62AD9988479555FDBD249B90D7FF2887636ABC5C513EBBF9AF828B4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007985488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:03.415{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62102-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897725Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:05.990{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0474C29399FE4D6FF09E22A8DAEB3850,SHA256=C7181C090AEF4988CADE290E73A0EA76A724E4EBEAAB567E5600A05335D78584,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:06.929{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BA120D44BB82C0CD0C56AB8F4F151DB,SHA256=536E426F2A5FF5B93FE8B9F63C544B405455E81B499F251D2BB21118E2087373,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897726Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:06.991{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76EF3A5EBBC31F201C70AB5DE8043203,SHA256=6073376FF7191A7B6C1E07BDEBAF739282099AEB81196A2C687CE93D64AFBC44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:08.965{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52E90A482601B88EDC5E1647B6B3ECD0,SHA256=32568CE5367BA3E323D0CE9A97BBBEBF63DE07382A9FF787070A0B77DF162D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007985491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:08.293{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E50B87F31A91AF7E7CC29E0B34D4F1B2,SHA256=C26855F2CAD411E3CA2EC39E6B8336928BA14D6EB60F6727CF48CA292AAC2F13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897727Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:08.007{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E056FCEBAB4479CA75825B554A85799,SHA256=027901718A854A106F1EB5DE8DECEA883ECDF7CA92078A055FAEAF616B461CED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:09.652{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7217A764EECBDFD36AE7831FECE0D74F,SHA256=0396FE8F6AA0781FD12E2A3652DE788FB21A6681C71C564916093D6023995254,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015897729Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:07.455{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51850-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897728Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:09.023{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E3D43176DDAC384E15FB6FF80DB6C89,SHA256=DB2CE18E9AD0CF02AC32297FCF440BACADDEB32F2F86754365B76ECF32735547,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897730Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:10.038{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=337336EC11525281EE3AE0CFF08FED79,SHA256=3013B6D82A14D4D4A61C05B39CD70B0E3ACB9C6C10B81E03447F1D143D3F0B01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007985495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:09.451{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62103-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007985494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:11.012{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B957144E8BD3670344B0039F27FDEDA5,SHA256=13ACB592D38C77017381F8C14DDA5DDED2580162700A5ABD8F3B03EA1DD65511,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897731Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:11.038{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C695C82E92802691D944573342A966D7,SHA256=D7FC3CD5C104878B19220C36CFE8E80A9B3CA878ABEB898B4AE5658FDE568342,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007985498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:10.701{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62104-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007985497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:10.701{3BF36828-DD1D-60DD-2F00-00000000C801}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62104-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x80000000000000007985496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:12.387{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D123BED549B461CF29B45FB554BDCE30,SHA256=AAEA3BD4FB13286DBCC129A6A63AF50BC3E557065491656B961D6B5BCB6B7A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897732Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:12.054{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE6B1FEDB38C4CE9659EDFB0E9B8398E,SHA256=3FBD54B1DE8EFA3DD82545FF6C6DE8F27627CAE09828703B80C7B8FF6B22D961,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:13.746{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ED321800B5B8932C9C5D2D306DAB752,SHA256=F900335C38A71AAAE9EC5874AA7EF2D65F8110B0F096FFE5B015CA0861242832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897733Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:13.070{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F874C1426143AC02DE777CE8191896,SHA256=69F6F139755832CEF1C07827803A5C94AD161FE2A19862DBFDF579659ADAD9C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897735Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:12.470{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51851-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897734Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:14.085{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ADA61E874A0001E7E42E8B2040BB8C6,SHA256=EA26844F2E23F7A37C22C6563A106FBCF7989662C94E2C772266E6CAF88287DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007985556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.918{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007985555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.918{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007985554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.902{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007985553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.808{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007985552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.808{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007985551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.808{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007985550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.808{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007985549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.808{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007985548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.808{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007985547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.808{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007985546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.808{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007985545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007985544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007985543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007985542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007985541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007985540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007985539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007985538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007985537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007985536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007985535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007985534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007985533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007985532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007985531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007985530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007985529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007985528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007985527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007985526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007985525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007985524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007985523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007985522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007985521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007985520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007985519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000007985518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007985517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007985515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007985514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007985511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x80000000000000007985508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007985502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.793{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007985501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.795{3BF36828-E6CB-60DD-BC01-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007985500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.121{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F679A746E99AB44EE392374D37E59F,SHA256=989B747BAB5331D013425CCD05536491C6B8C42391B1998B62D62A66C956F027,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897736Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:15.085{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B913D66A94E5460CCE861129E478777F,SHA256=833A7B9D4EB712720EB01BE66AACC17FB0FC22A01D0968987C84CCD1426DFB59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007985613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.605{3BF36828-E6CC-60DD-BD01-00000000C801}39322492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.605{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007985611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.590{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007985610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.496{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007985609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.496{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007985608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.496{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007985607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.496{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007985606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.496{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007985605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.496{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007985604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.496{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007985603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.496{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007985602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.496{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007985601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007985600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007985599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007985598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007985597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007985596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007985595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007985594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007985593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007985592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007985591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007985590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007985589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 23542300x80000000000000007985588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A57B911B0142A9188F9C9264760B1DB8,SHA256=ACA05C024DBA73BEC69A702D184D17304CB891BD83C01E93ADA25A92BA843842,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007985587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007985586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007985585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007985584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007985583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007985582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007985581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007985580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007985579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007985578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007985577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007985576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007985575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007985574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007985573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007985571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007985570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007985569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x80000000000000007985564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007985558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.480{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007985557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:16.483{3BF36828-E6CC-60DD-BD01-00000000C801}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897737Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:16.101{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=590BEEB3CBA6DA8EAEDC370E4F2D6F26,SHA256=E03361EEB32B241078C6657CB2EBEC49E5A0FDF2A9C636E04290646ECED72605,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:17.855{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29736453FDF22C310E94BAE43DA3559F,SHA256=CE27115F0B946D60BD2722119869CABDE524BBB9006BBD57244043199F9031D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897738Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:17.101{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B0F3FB2A94DE87DFCE26A2BBF44C19,SHA256=B29A7AB19464454642B6AC0B5341B3C9A6272A199E868DAC7BDF2F1DEEFBA2C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:18.527{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F84731A19682D06DFB0AE1DCD9A7746D,SHA256=BCD8DA7FE2CC6D9B1B7BCB785F19B69DD2F3238D8D7341AB4CDACFECDD8DAF1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007985615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:15.404{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62105-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897739Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:18.116{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0530C8235AF8BAD272E7E61E9115E9AB,SHA256=09801183495CEF4DFD18E5E074851622D6B341E67A8CA0CE67943C1604B6E3A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:19.277{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D1C6B0A6CD400BAC5DD12500DE4A9EF,SHA256=693ADB9AAE308409991C84B5DCF9A0811D40BEE87EB46FBA54A7BAC5A1A1D280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897740Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:19.116{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35B1C8BE13316FC165B8B83D249D3D68,SHA256=82B353B1FCD8FBB2A2F1969E58955C5356485AD7D0D583738FAC06721650790C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:20.793{3BF36828-DD1D-60DD-3000-00000000C801}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007985618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:20.715{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32190CB70031A4105C1F613576431D4C,SHA256=4F7E7A96601FD75823A83424C69C041C08193A1BA7A567751548B150421F82C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897741Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:20.132{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA429F1417E2BEFBE4D647C91389CDA0,SHA256=1813D5A7CF5DB7890DCDC63DC1A8E0E03F2FF91BF498C55965487685EE2A6468,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007985679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.512{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007985678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.512{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007985677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.496{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007985676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.402{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007985675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.402{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007985674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.402{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007985673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.402{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007985672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.402{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007985671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.402{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007985670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.402{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007985669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.402{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007985668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007985667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007985666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007985665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007985664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007985663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007985662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007985661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007985660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007985659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007985658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007985657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007985656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007985655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007985654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007985653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007985652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007985651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007985650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007985649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007985648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007985647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007985646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007985645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007985644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007985643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007985642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007985641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007985640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007985639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007985638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007985637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x80000000000000007985636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007985634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007985633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007985631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x80000000000000007985627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007985621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.387{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007985620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.388{3BF36828-E6D1-60DD-BE01-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897743Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:21.132{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=424F846637639785B10CF4F9256D23C9,SHA256=A777E08EEE1233187C4635D40EC288E4F8116DA86B826BFA7E16B40FBF3F59F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897742Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:18.345{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51852-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007985682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:22.762{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B76A303E61B23A2F2DFE75BC306F9273,SHA256=20987B98B41B9184FEE5AEDB6816D5C3E06A75ADB1F5BA6D7CA6047C3889B289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007985681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:22.074{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F95321327450EBA0AAAA06B8FE254204,SHA256=97C6FD5C00C1BA616777866973AD2537D08A10649373C4B6E6FD6E8BFC7366F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007985680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:19.998{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62106-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015897744Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:22.148{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B677DB40364A33C251D86032445D8B,SHA256=31D0266D8601AAE6D6B1B242BDB546F0226DF556C1BF336C2D0CD088657592AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007985739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.574{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007985738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.574{3BF36828-E6D3-60DD-BF01-00000000C801}36643636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.574{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007985736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.574{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007985735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.465{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007985734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.465{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007985733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.465{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007985732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.465{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007985731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.465{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007985730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.465{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007985729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.465{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007985728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.465{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007985727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007985726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007985725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007985724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007985723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007985722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007985721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007985720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007985719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007985718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007985717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007985716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007985715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007985714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007985713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007985712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007985711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007985710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007985709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007985708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007985707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007985706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007985705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007985704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007985703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007985702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007985701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007985700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007985698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007985697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007985696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007985693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007985685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007985684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.451{3BF36828-E6D3-60DD-BF01-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007985683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:23.449{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B97463C16006C806D4C91D2F758DABB,SHA256=15963100A7CB4EC2CC7980043657BEC8B87C3E86DE97E7A96B57A58B87E8E2D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897745Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:23.163{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D172C64809617EE172E9009B420694E5,SHA256=BB0CB3E725AE22E6770D8F428166EE23266DE494EC8A5F9CCE88D5A8D8B0EA2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007985852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.996{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007985851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.980{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007985850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.887{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007985849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.887{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007985848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.887{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007985847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.887{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007985846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.887{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007985845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.887{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007985844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.887{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007985843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.887{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x80000000000000007985842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C0CF501E21FFC683EE7172026BD1583,SHA256=71DD1BD1BD46374D8A78DE506664895008DEE7ECD2B8CF19DF6FCCC081170260,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007985841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007985840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007985839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007985838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007985837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007985836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007985835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007985834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007985833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007985832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007985831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007985830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007985829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007985828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007985827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007985826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007985825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007985824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007985823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007985822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007985821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007985820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007985819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007985818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007985817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007985816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007985815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007985814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007985813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007985811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007985810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007985807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x80000000000000007985804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007985798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.871{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007985797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.873{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007985796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.246{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007985795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.246{3BF36828-E6D4-60DD-C001-00000000C801}49402536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.246{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007985793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.246{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007985792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.137{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007985791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.137{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007985790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.137{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007985789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.137{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007985788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.137{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007985787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.137{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007985786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.137{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007985785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.137{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007985784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007985783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007985782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007985781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007985780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007985779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 354300x80000000000000007985778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:21.279{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62107-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000007985777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007985776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007985775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007985774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007985773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007985772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007985771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007985770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007985769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007985768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007985767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007985766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007985765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007985764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007985763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007985762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007985761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007985760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007985759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007985758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007985757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007985756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007985754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007985753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007985752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007985749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007985741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.121{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007985740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.123{3BF36828-E6D4-60DD-C001-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897746Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:24.163{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11FC1BB9EEACC6C6AE314D286CE1F522,SHA256=FCD875F084E5221057EBDF9E5F77A6921CA2DA48ED8829E46DCB246C64E2DF23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007985911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.699{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007985910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.699{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007985909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.699{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007985908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.590{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007985907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.590{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007985906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.590{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007985905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.590{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007985904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.590{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007985903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.590{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007985902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.590{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007985901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007985900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007985899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007985898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 23542300x80000000000000007985897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E180355BB9A96B21EA532376C8A05901,SHA256=EF1869AC30CB85937F5F2AE6B1816A5E5BBF347E01EFE054F5EDA6F935E31D71,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007985896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007985895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007985894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007985893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000007985892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007985891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007985890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007985889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007985888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007985887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007985886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007985885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007985884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007985883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007985882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007985881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007985880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007985879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007985878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007985877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007985876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007985875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007985874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007985873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007985872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007985871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007985869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007985868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007985863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x80000000000000007985860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007985856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.574{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007985855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:25.576{3BF36828-E6D5-60DD-C201-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007985854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.996{3BF36828-E6D4-60DD-C101-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007985853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:24.996{3BF36828-E6D4-60DD-C101-00000000C801}49925000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015897747Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:25.179{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B5E4BF1A6499149C278A8A6268340C1,SHA256=E6DF17CFFABC81372EADE1190933F6BD12A6A682E5F94FA128411107A4008315,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:26.949{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C787234F8EB37AEC4EF21AC05C0FBA,SHA256=768052D6DE2F74589C27D74484D84166593B04CA41EFFD0D303050D49A97E593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007985912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:26.262{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF95462BE73F6F7C4982776B2763C782,SHA256=9E4941CF504E18E1EE8CC2643066682EE6C91938B5B4CB1C6305F7E68061501F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897749Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:26.195{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91DD7B8098E3BB2FB072A72BBBC5DAF5,SHA256=CCF973B0FEAD50DB38D7651583B19A0E6E240489E34A431812A916D27EFB4719,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897748Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:23.455{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51853-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007985914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:27.699{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E467076D2EB1E8FECEB7D6EE0D357F22,SHA256=57C615B3BBD85B3E211EA356EF26BFA37D1A31C75B4E6CB3BE874973D334DCE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897750Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:27.195{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9B523918B533493295739C91BE5EBDC,SHA256=1D7D1CD8E2952C2945021B0C3E1AB3F82EE550413F1BBC03670388C4E6B9CA06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897752Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:28.289{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897751Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:28.210{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3973AC62D6488BA1E25DFBBCC26AA84E,SHA256=F929CADF5F6886816EFFFF063E5B031AEBE20098C8799F77E1F1454A02C78E5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:29.731{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4501DB08F5567C17B87C26B6F620085B,SHA256=9C27EEB7CF06871539328EAB680B3AC2458615A6D3C5931893251F02B267BFC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007985915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:26.373{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62108-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897753Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:29.226{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBEA81E55BAE4764648CA4B9A585D4B8,SHA256=E05BA83526CEF116BE922BD005AFD8FB5CEC7553F66FCDAABB2472CD3AAD31E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:30.528{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF2721995E14C3CA26DCFFF34714754,SHA256=3EBD3D9CDD0786A15683B586D97AC6730A98AD68A51877BB77BBAA84AB40A36C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897755Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:30.242{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4388F4DFE590791080DA5BF18E0B8927,SHA256=56AF6C68F9DD1853FA01B1E5CAB7E2BFD89BAEDB1734A56380AE08AA546DAF3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897754Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:27.580{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51854-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000007985918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:31.293{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB82D863EA9B756D75F03716A8D91EC0,SHA256=3C628FB41B8A0BEEA19BF3194439751B3B0900357851095613F9B078E7B43995,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897757Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:31.257{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B21FDEB394A915E703B6C4DB3391393F,SHA256=042E0B12D4542B0BC89B238A39F0884BBF9E41754AA7D06EAB5D459B4C361E79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897756Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:28.518{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51855-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007985919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:32.043{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC91F72112E04EA68330478E4579C033,SHA256=2CB2CFFB5D3F17F43B0781F2D9592856652FD509B4504FDE6F5F228B31248584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897758Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:32.273{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A340BDCDA17D4C9B9703EC02FA715234,SHA256=4A159CC44A0839ED61EA9A3F7F8B01DB0C595B030D4FB61B2ABE973672916355,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:33.418{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85C42FF66F0262E24F8656B8E1FCB1B4,SHA256=D40FB0C52B74B1EDDF7356443FB21726D1AF0F03ABBAEDE7F7A3AAF154D9E0AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897759Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:33.273{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=307BA476EB95FE63EEC318A7F94F5876,SHA256=8F6A6BE62D7FB6494CDC555C4442CA244F15CD248167C238E051A6F10E6947CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:34.793{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D2720B7B5FB8F3912639D60224BB92F,SHA256=CF327A01C9A798CA16298949F17B559DDA2161952D95426F067F3F85AE4D6588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897760Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:34.273{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D54C493152418E7FE149C2E48D0ABE75,SHA256=2E565C08002A256CEB80DCC55D09A95EFE1B7EFEFAB40C7A039F27100CDF4C92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007985922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:32.295{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62109-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897761Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:35.289{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=313EBB54A5091603DAEB4D97D055100C,SHA256=3C7E08C58088DE8F801D68B9BABCF3E44AEC9DC62BE3DA26E46AE07ED680BCBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:36.168{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0D0A1A2D1629BBE8386BA7BA206CDED,SHA256=EA9BFABBFD8B474773D06DEF3FCD722C0CC0CD2AC973EA9A857A5C82979619E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015897763Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:34.424{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51856-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897762Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:36.304{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C198C76C2FACE1B3E6850F4BDDCCF265,SHA256=CCB81D77BD5040434949EB8E6693056EDE611E9D9730EFDE5E60238CC972E88B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:37.543{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECE144763A212BC59DD73A4B59E64818,SHA256=E1C6CB47600F999AEB02070C0527FEA00925F4E08E1CADCA226383BC8472B2C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897764Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:37.320{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A032DDCFE08DE4A0E74A08276D127C0E,SHA256=F76BA0FDA93CB091FC958017CDE95FBCE8BA3A7992A4463CC8196D3E7C5FC61D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:38.918{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=880E345D2D7FA6B38FF056735375BFF9,SHA256=A0FAD3EEBC5C540E60EA7A70D6DC363578DBF9B75CDA2C293EDD2642A476F7BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897793Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:38.507{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA0F6BB0E8AEA27CA13D85B1E1B24E4B,SHA256=2032FB61D3B2DD926CB0CF9D0F23BDF3AB60E42075A4BBC3D9B00A8A602A5C3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015897792Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:38.101{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897791Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:38.101{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897790Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:38.101{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897789Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:38.101{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897788Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:38.101{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897787Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:38.101{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897786Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:38.101{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897785Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:38.101{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897784Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:38.101{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897783Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:38.101{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897782Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:38.101{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897781Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:38.101{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897780Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:38.101{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897779Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:38.101{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897778Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:38.101{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897777Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:38.101{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897776Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:38.101{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897775Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:38.101{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897774Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:38.101{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897773Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:38.101{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897772Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:38.101{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897771Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:38.101{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897770Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:38.101{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897769Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:38.101{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897768Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:38.101{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897767Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:38.101{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897766Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:38.101{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897765Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:38.101{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015897794Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:39.523{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D7D767CA5170C052A3AD96F103C9DC4,SHA256=A96D6A851457557666F5D7848B322B57310A4BC263C89019FC6306C8BE9CEE7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:40.279{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2902E7418262C846F6ED72F30FFDA005,SHA256=BA50A16FE725FC4754DBDCDE7C88423B81AA965B6CB428ED210FA95AFFDA8BF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007985927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:40.279{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A1ECE60DE8C832525953A50A2734309,SHA256=A704800AFECF65F596C96FC601D3823CF24EADF363950B109B5EA6239E9FAEFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007985926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:37.294{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62110-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897795Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:40.539{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C805BEF6F43A069CBF981060DDD423,SHA256=DBD40904BD7F67EECB773C96D8ED961FD536C0219299574937F04E27B042C583,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:41.636{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D28C7D3834CA21E6591E1A2CC96DBCCE,SHA256=59C8700182EE2B22843C6C739A2E85DC8AC878CA122CBB3ACD124CC557C806AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897797Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:41.554{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAD04F048E2DA5603B04F2134B2F3038,SHA256=A8E74676FC09A3DDA8383E3C68F7B180C87FE02C2688990793AA2914025C604A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897796Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:39.471{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51857-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007985930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:42.326{3BF36828-DD0D-60DD-1200-00000000C801}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=31106BED8A11C935AF1F7565595AABCA,SHA256=1B7B037B5859CDAC4378114714B9B69DD80A2B308BA27D0335319CEFE522F10C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015897812Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:42.945{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E6E6-60DD-012A-00000000C701}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897811Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:42.945{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897810Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:42.945{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897809Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:42.945{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897808Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:42.945{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897807Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:42.945{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897806Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:42.945{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897805Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:42.945{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897804Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:42.945{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897803Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:42.945{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897802Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:42.945{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E6E6-60DD-012A-00000000C701}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897801Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:42.945{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E6E6-60DD-012A-00000000C701}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897800Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:42.946{B81B27B7-E6E6-60DD-012A-00000000C701}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897799Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:42.570{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72ABAEF5C9CE6E2F99CE467403384297,SHA256=1D7046B51BC69F6193188D27FA8B56AC0F769AC52AD417B27D2667DBAFB594D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000015897798Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:01:42.101{B81B27B7-880A-60DC-1100-00000000C701}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d76e92-0x621c3c14) 23542300x80000000000000007985931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:42.998{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59ED1CCBDB685863F0BA7743BE72B59D,SHA256=24D9CF6C25FE7E831DD64E62B52F26C39BA86D17B1B09763EB173F00B8C5A956,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015897826Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:43.617{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E6E7-60DD-022A-00000000C701}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897825Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:43.617{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897824Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:43.617{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897823Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:43.617{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897822Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:43.617{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897821Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:43.617{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897820Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:43.617{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897819Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:43.617{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897818Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:43.617{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897817Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:43.617{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897816Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:43.617{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E6E7-60DD-022A-00000000C701}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897815Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:43.617{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E6E7-60DD-022A-00000000C701}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897814Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:43.617{B81B27B7-E6E7-60DD-022A-00000000C701}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897813Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:43.585{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2046CC5C8740EC244348E3CBF2EFFC4A,SHA256=B5185FD2318DACB4C73ECCF9EAD247720E59629E81A98F52F36FFD486E309D53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:44.373{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F362CF1483C41F4C6023C4B30CE0CFC7,SHA256=EC8071D54B84BB63017199320CEA83B8AD1C09B682B9D5325CBBB4F66A62E536,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007985932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:42.296{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62111-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897843Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:44.679{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=707F801E7FFB610BF1CE6EE39D913CBC,SHA256=53534A5AAA075A300AFC3A4B03BD52DCD1D9686149BF32B192B753F61AC4AE64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015897842Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:44.445{B81B27B7-E6E8-60DD-032A-00000000C701}12365860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897841Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:44.289{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E6E8-60DD-032A-00000000C701}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897840Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:44.289{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897839Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:44.289{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897838Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:44.289{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897837Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:44.289{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897836Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:44.289{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897835Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:44.289{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897834Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:44.289{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897833Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:44.289{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897832Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:44.289{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897831Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:44.289{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E6E8-60DD-032A-00000000C701}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897830Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:44.289{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E6E8-60DD-032A-00000000C701}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897829Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:44.289{B81B27B7-E6E8-60DD-032A-00000000C701}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897828Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:44.179{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D39E9B7C4E238C837FAF1F59128F60D4,SHA256=9F1C478F08094F212227796B5139A3088A0FCD4474DA6E3AD0E0B57F3881C3DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897827Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:44.179{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9A4A71BC868F3DC6121D81381B02502,SHA256=82E7905F0CEFA925B42C8961C35997893517F7060C22CECB3B6E27CBCC7FB41D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:45.732{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE49EB2BF7E31912364F6AFAEC6A44C,SHA256=3788DC279D0A81EC2273F0897EFF751DC174FBA885C8B064B617DB0202467A33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897845Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:45.695{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F25D3E2225D24F59698CB0E7F750597F,SHA256=86740F7F73C666FE0A139112CB4A01F5268A00E184BE892D8F458829C7566199,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897844Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:45.304{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D39E9B7C4E238C837FAF1F59128F60D4,SHA256=9F1C478F08094F212227796B5139A3088A0FCD4474DA6E3AD0E0B57F3881C3DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897847Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:46.710{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B99CD90480B347B9DF13EB5FAA4A3DE5,SHA256=02C4B49FB4EB3DAEBA1F525F6832CADB3E7FA103EA2E2C6045D9C1239D397A8B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897846Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:44.517{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51858-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007985935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:47.105{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2874B8CB72D8CEC9F0A8D9C8F00A94,SHA256=2123F371E124397E3044FF64AA86683E6DEB7D06F6D491544F7EFD179746AE91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897862Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:47.732{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A2751776EF92B69EBC74C38B228CB0E,SHA256=C386FA70D8A182618DB9067C08440C40747532148C8FBFDCF9AE8F20FF59DE78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015897861Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:47.491{B81B27B7-E6EB-60DD-042A-00000000C701}48363616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897860Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:47.350{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E6EB-60DD-042A-00000000C701}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897859Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:47.350{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897858Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:47.350{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897857Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:47.350{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897856Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:47.350{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897855Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:47.350{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897854Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:47.350{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897853Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:47.350{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897852Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:47.350{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897851Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:47.350{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E6EB-60DD-042A-00000000C701}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897850Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:47.350{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897849Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:47.350{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E6EB-60DD-042A-00000000C701}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897848Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:47.351{B81B27B7-E6EB-60DD-042A-00000000C701}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007985936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:48.465{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34CCAFE8016F16D7E6C77695349ED4DE,SHA256=DF83B6A344A7669C9E0B2F11ADEE72625DFAA3056427310DE1B0E752CABA7F79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015897895Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.834{B81B27B7-E6EC-60DD-062A-00000000C701}42285604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015897894Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.803{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=877B90C1B53189318C5989B26636A6BE,SHA256=104B7B628C1FF278EC0B37F9DE88DAFF730658B78E0E75F4C1B03018EC40A150,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015897893Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.691{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E6EC-60DD-062A-00000000C701}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897892Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.691{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897891Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.691{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897890Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.691{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897889Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.691{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897888Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.691{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897887Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.691{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897886Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.691{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897885Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.691{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897884Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.691{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897883Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.691{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E6EC-60DD-062A-00000000C701}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897882Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.691{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E6EC-60DD-062A-00000000C701}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897881Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.691{B81B27B7-E6EC-60DD-062A-00000000C701}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000015897880Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.612{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1500-00000000C701}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897879Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.612{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1500-00000000C701}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897878Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.612{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1500-00000000C701}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015897877Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.362{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AD03823EF7B3533CA592AD2AE8D43F9,SHA256=41D7872B57BB6A2D0AAA1059F0434405440B51FC67CFC2FC07B2914874231DC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015897876Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.159{B81B27B7-E6EC-60DD-052A-00000000C701}35523424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897875Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.019{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E6EC-60DD-052A-00000000C701}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897874Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.019{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897873Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.019{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897872Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.019{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897871Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.019{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897870Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.019{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897869Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.019{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897868Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.019{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897867Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.019{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897866Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.019{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897865Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.019{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E6EC-60DD-052A-00000000C701}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897864Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.019{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E6EC-60DD-052A-00000000C701}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897863Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:48.019{B81B27B7-E6EC-60DD-052A-00000000C701}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007985938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:49.840{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59B2893B3C56A5AF077FA102155EE61B,SHA256=14F46638281A4C9203D4B34B847271CA15ED3E55C0B1F28D5911983FF5A14D80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007985937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:49.152{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D255EB669C269B2F03F907EABDC78B2E,SHA256=F25F2910CD625DBBD54472E3E4340ECA22F683A89BB914877768C5AAB093D2CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897910Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:49.928{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB410F946748F676E4017D52D6C2A7A0,SHA256=AAEFC3D0DCB1BDBC5C2B4158BED7F63EB7BC23B05060A057E2C83625000040F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897909Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:49.866{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C83D3FD9C7CAC9C77365D1FEFF97B8A3,SHA256=DD24F26EADF94DD54D6486243F4446DEFC33ED6A2B066FD486527AAF76289FB1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015897908Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:49.366{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E6ED-60DD-072A-00000000C701}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897907Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:49.366{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897906Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:49.366{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897905Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:49.366{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897904Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:49.366{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897903Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:49.366{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897902Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:49.366{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897901Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:49.366{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897900Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:49.366{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897899Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:49.366{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897898Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:49.366{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E6ED-60DD-072A-00000000C701}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897897Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:49.366{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E6ED-60DD-072A-00000000C701}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897896Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:49.366{B81B27B7-E6ED-60DD-072A-00000000C701}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007985939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:48.309{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62112-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897911Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:50.944{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2848C8D88994BC3E20C627C82137B495,SHA256=84F2AA65F00C423819C6DA97628D9CB19BEEC2A86FFF2CB630EB664D28416949,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:51.199{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B63CD9F291507594195F5A930F77CC01,SHA256=3EF69076C2786B444BAC9D6C6019415AA4464D3E0B83173ABBD99ACB3CFA5E3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897913Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:51.959{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D6D05A605997729B16E17C4C0E87FB2,SHA256=0BE1CF922FF438B95E4C206FDF0ED3F1B583FDA2C73C7840463AFD168DDB7098,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897912Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:49.532{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51859-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007985941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:52.574{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=412B0CB11E16A04CD78B07519596F7AA,SHA256=984E135D11458435A03BC43759A4770521934ACB1F780AB8B0595CC784E4968F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897914Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:52.975{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4B7A86096D01F76A2666B17248B25D9,SHA256=C8E2E33E1342D9A1C9AED0B7CBA0E566FC1C6B5CA05E9F500BF939C69510FA8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:53.933{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11925F856D3EF6BB819321D206916E8D,SHA256=9DECF973276B2FF95D93297FC27C2B323931D7DCD69D390F93FCFDF601534F19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897915Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:54.006{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09C4A243F0C95DC358C1FFBE62C7D9D5,SHA256=CF03342018B8209DC81E458B5252893EFA38014AEC32E7B4B6D1BC836F83540C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007985944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:53.372{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62113-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007985943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:55.293{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A151D76C970B1A13A3F6D091364C020,SHA256=089E32620C39F7FEBE8BA807B46E65007C705F79D8562D08E4DB22983DE8E5D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897917Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:55.303{B81B27B7-880A-60DC-1000-00000000C701}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2DAD4D0796F5C91F049CEEA1A37FBF3C,SHA256=01E970C9F8316C220BD82ACD17EB6B98277382E4339A95852D1033D63FB79105,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897916Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:55.006{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA5C72DA76F9715B74A26773AF2EFCC8,SHA256=E06F872B6F1CA4A3A8A718BDDB83D875AF4E76F2C46898A2CA8F7301560139F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:56.668{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FC7D394F2E34970DC852ED4F23C2ED9,SHA256=EE2934783447D6FD9EA77455ACA773F4C9D3100E37842AE76D7FBD3B75944AE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897918Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:56.084{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=022BFBA3090FFA898B67DFE517305644,SHA256=D8B5D6B6B12E6015DAF58E6ACD94208C8AB9BA683940A7D67B18FE291115B1B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897920Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:55.501{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51860-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897919Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:57.131{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1BAF0F509C9A93A47F22202D3373208,SHA256=C31D3D613330F12C63AE34AD0706E9108B2DB218E66470BA3ACEAAE46C0C4715,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:58.027{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4A2BEC5240CDF75AE82454F31426846,SHA256=D88B8258F20DC2E2A5C378D85C2BC30C4F34DD793293531D139681185A348CDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007985946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:58.027{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBE11EACE542ACE27B24FE55D4FEAD3A,SHA256=DFF3D841101533B6DF8E638E4036D7140CED4EB663B0C42E71E1DD5D552298D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897921Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:58.131{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B8A78E507F97F76F274B02261F3D829,SHA256=0E29302BA63BEBEC427A848F9D20B7F5A1859D12358FDD7DC78AABEFA33DFF7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897922Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:01:59.209{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93F21192BAD3DC42F35EDCB10C072589,SHA256=E9D7E7C12F11CF2387677AFDBCEE918D68136165F9674525DEC520BFAC2AC0AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007985951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:00.777{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1600-00000000C801}1320C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:00.777{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1600-00000000C801}1320C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:00.777{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1600-00000000C801}1320C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007985948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:00.715{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0987B95EA18F2F6A0C7C9B64C15027F,SHA256=2E7E8C798D034A608577B4986B9E4A9A61E30C2D8AB300515E278D55ADB8C7AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897923Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:00.209{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=948A9D679D12C5E52FC98799E6BFE752,SHA256=33A2E647A9E454D136C9877B07BFEE573D4F304636D839C640C26B1CEA2E69AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007985952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:01:58.465{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62114-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897924Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:01.225{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEBFBF7B48A4C49CC6E3C6702C44156D,SHA256=873EE663981471F012F90ED64157DB65131CA509F57FCD06D12200B3A6B4E9CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:02.184{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A03959802DC03F624BEC9E4B06887122,SHA256=B78FC33567DD3417C3F5AE63F37C3AA9474FE642AC6122240F4F2F72789E456C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897925Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:02.256{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E1A20677A3FDC690E92C2ECCE8BB934,SHA256=8615AE2E2FFC1F08734DFDB4E72A0D2A47B15A142DF8026593CA3933EAB814FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:03.543{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA771FCB27B24BB74D6A83C961A63A6D,SHA256=4C8C61618B9963D9D6E933A1F833E6A3AC02DD994B8088DFBDFADD9F32664766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897926Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:03.272{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE86A3CC6AEC50E54032B4E61A0714B4,SHA256=1D7668B2B1478ABB75EAC0A806E83754CAB83B2E6E2E48241F84FE77299E05AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:04.934{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2644C084A8BB3299CE92DA2A0DC39FEE,SHA256=EA215C3F590CC1845BEE2717A45AC3C3C7902CE6ACAE80EB25D06EFE4F337D62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897928Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:04.303{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8519DB34560F4B7C5C8D81768691466,SHA256=096A53AB296D88D1E6A91D4A062A5F59BB1647F7675E9DDDCB965867EDB78582,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897927Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:01.407{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51861-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897929Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:05.319{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD0F05718CBEBF35A2FA5B7A675E1C71,SHA256=F150903A7EE4C62D10B71013718FDB1C76D7BC589C54D09E346E409CAF2631B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:06.293{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E355D854D68503D9BE0713D08260ADBE,SHA256=0626FC80DF45932F70B2D70604927322418073B5B43D7865A752FD5A3E22942E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897930Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:06.366{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80FF1A432CA70203ADD7923B20666227,SHA256=A93CA0A3D81AB7F0247022FBAD36B7A1270E5CCCC62071C0BDD7F569A4FF6E51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:07.656{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A410BBA529FEEC8947D125F2C9E71BF3,SHA256=E147D80A78299619B8512455C6BBA0F630E107FB08A20D2E4D763AEC695C370C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007985957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:04.480{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62115-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897931Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:07.370{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0372B78AC2237B20A9357B2947732DF4,SHA256=3A5748F3BB4DB705F26D85F8C46A1FDBFDC991F9EB564E63DBACC79A9AFE0C38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897932Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:08.401{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF3328EA1E9398A2347408DB449D022C,SHA256=0632EE7665533292172E34C5D0AEB6297BABFA4170F0FAFB3399DC83BD3D0D62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:09.031{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4629AAA47762C4818D2041DF3C52E35,SHA256=CA4B9CD40CD8DBE644F703EB47155E26DC0C995815CB8FA677C3C2C06AD6309E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007985959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:09.031{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16551916A812D7A27F16ECF83535EA45,SHA256=527D8CAFEE4977CE3A57605C767E7B6FD653E0C0C7A114F70AC31AD7B1B9B969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897934Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:09.417{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=936908E952DF841F8BA098389F55BDF4,SHA256=8A041A49776FA979981A4DEBFC99AF5C8CAF1EE8C524DA38CCEF2088DDD910A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897933Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:06.411{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51862-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007985961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:10.391{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8225E59B31FDA2FB0FC3104013DA34E7,SHA256=67FCA9FFED4BB7B14B8E7C743979A1B79B661DEB8E24334A4A9C6944C0A878A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897935Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:10.432{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1C5E87D0CE591B16980AD39541AE4C0,SHA256=8AA9583ABE479EDC20C5432551303A9B5DE36408B7E10784CA144C774198F690,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:11.750{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC021899ECC96021F70182CD0E0E471A,SHA256=C4FAA4E7311807F3CF622FA09F91A68DCC0B52B273A83FB15612D3A1C0244B57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897936Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:11.432{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A01B4F4DD2474A2BAD7F3A06AF78B0BC,SHA256=3B93503333D284216DF4DD4FEF4A83A1F480159A329A431631E3A2E189656CBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897937Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:12.448{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FFFFFE06CEBF1B24C3FD3BE86A25CC4,SHA256=66B7F092ADF868AD45A8FA600ED483197CF31AB067CAB084CE5979DC388F1454,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007985966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:10.719{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62117-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007985965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:10.719{3BF36828-DD1D-60DD-2F00-00000000C801}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62117-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007985964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:10.422{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62116-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007985963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:13.125{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=810E244DBA054B74AB128E7B4BF2CCA2,SHA256=739A74142693831F1369DD6D66831F2A702AC85E908614C6A5BB82198377C3BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897938Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:13.464{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16B1D21008F5284DDFDFDFC3F9C377FF,SHA256=8D27DB1537EE8F019846E521D05C2C2B0B983213C5A54701241063E3E8250F6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007985967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:14.484{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D75817A7BEBD02432E46174B8688EF29,SHA256=9E9E8E90A44BF5C8B3EEECC81CBDC875809A7F2597F0F798DBA0E73C2A534F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897940Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:14.464{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A013A3C717610DAC96D57777FF34FB01,SHA256=2F5A2AE7D95D0D02F8ACDFCC27D8037332435A83BD1E6D6760A719E98A54C01F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897939Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:11.427{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51863-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000007986024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.985{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007986023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.985{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007986022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.985{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007986021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.875{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007986020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.875{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007986019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.875{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007986018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.875{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007986017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.875{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007986016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.875{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007986015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.875{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007986014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.875{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007986013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007986012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007986011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007986010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007986009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007986008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007986007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007986006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007986005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007986004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007986003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007986002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007986001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007986000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007985999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007985998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007985997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007985996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007985995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007985994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007985993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007985992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007985991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007985990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007985989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000007985988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007985987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007985986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007985985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007985983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007985982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007985979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007985977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x80000000000000007985976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007985971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007985970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007985969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.862{3BF36828-E707-60DD-C301-00000000C801}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007985968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.860{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2418595A90CF80C85443502F005DD2A,SHA256=58BB5618E48D7A1E573F6807B3778F80EDC53B501B909FDC1936C9EE7895097F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897941Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:15.479{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5231DB92B3D4B286A305880680E8519,SHA256=831433B5F3FE8F0A9E8C12A6C0F9364C23248AD0E094F5FB09A99327F4409E5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007986080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.656{3BF36828-E708-60DD-C401-00000000C801}50842680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.656{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007986078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.656{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007986077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.547{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007986076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.547{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007986075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.547{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007986074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.547{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007986073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.547{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007986072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.547{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007986071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.547{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007986070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.547{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007986069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.547{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007986068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007986067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007986066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007986065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007986064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007986063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007986062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007986061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007986060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007986059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007986058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007986057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007986056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007986055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007986054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007986053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007986052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007986051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007986050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007986049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007986048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007986047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007986046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007986045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007986044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007986043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007986042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007986041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007986039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007986038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007986037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x80000000000000007986033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007986026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.531{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007986025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:16.533{3BF36828-E708-60DD-C401-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897942Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:16.559{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C258444A556F36E79AA64B25E9839C,SHA256=0805A0A007BA5771E934253BA9F7B35A1F85BA367F2BAE476A942E660EFFB295,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:17.906{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F042AF328D6FFD2CAA98C22EA933290C,SHA256=ADEBE5C8549B686937D8A960A01761DEF5D90A7DD7A4B464A518D5FE7A8AEAC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007986082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:15.469{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62118-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007986081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:17.219{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFD3487010469FABE2B9448A521C5468,SHA256=1EB6F9CF637F0B4C1624AD729AF048199B4D87DF52D9D0F0E24774CBAE0F57BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897943Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:17.620{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22023BAB2C75377D3B1EE8FA7F5A2FC2,SHA256=5FA78E21AE01C6378C2157827FD32006475CC3AA3382BBDF555FFD18BEF57C93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:18.594{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EEEC5AB8395CA6160217F95DF00D98F,SHA256=78546CF89B48EAB8E44B77337FAFBBD598BEFBED0B0CF283CAB24B6E0CD61F94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007986084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:18.594{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44BD1344F5F07174BD0EC0772641AD8F,SHA256=71BA9EA7945C5E62D18396B0C61DD483FF89F164F280EEF4C6CD17ACE4D935CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897944Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:18.682{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2F2BEA52E4D41A7FDB02C15A9CF2D4B,SHA256=ED16FAE358552FA56E435E397C74574BDCFCC11D3FA1B804E3EF0C466E666C6C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897946Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:19.714{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=863206FD10373D304E8C8E140D8356A1,SHA256=B6F8940E859B785DE9BEC7D9475C534F09E5DA5B3E001549D837BECD62D4C4D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897945Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:16.442{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51864-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007986087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:20.813{3BF36828-DD1D-60DD-3000-00000000C801}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007986086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:20.016{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09457930E34288426423EA173D535CCA,SHA256=145CE1C4244629C2BA6E0477C338053E22F09F6D5BDE7AC0563E6DE3A197ABED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897947Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:20.729{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B8EBA3098EA3BB8CF1F685E424C655,SHA256=ED32722F1BAD0D274533167EEDF1833F7CBF0E15F79D949C22AE1328CDF49640,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007986148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.578{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007986147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.578{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007986146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.578{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007986145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.469{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007986144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.469{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007986143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.469{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007986142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.469{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007986141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.469{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007986140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.469{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007986139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.469{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007986138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.469{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007986137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007986136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007986135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007986134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007986133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007986132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007986131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007986130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007986129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007986128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007986127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007986126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007986125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007986124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007986123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007986122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007986121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007986120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007986119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007986118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007986117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007986116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007986115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007986114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007986113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007986112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007986111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007986110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007986109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007986108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007986107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007986106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x80000000000000007986105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007986103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007986102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007986099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x80000000000000007986096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007986090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007986089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.455{3BF36828-E70D-60DD-C501-00000000C801}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007986088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.453{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A7BD4A0985A7C0F68107D451F8C08EB,SHA256=5946658B58EEBE529663B0D752801670EB5B667F670C21E993B2A6580A7FB7B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897948Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:21.745{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84FE45CA5F5539E4C49FD0E94C22EB66,SHA256=9647B34B608A3E7E35C81AE0A278098573AE9829270F29BE4939E0F888D86764,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:22.828{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA5D29923E45E93307DBFAF453BE755D,SHA256=2C03EC44E87B95AC2C67D583C972BE2313A469381B114D63A3D958ABDD2B77D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007986150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:20.015{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62119-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000007986149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:22.141{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75C0389A14C5506FD67990AD10A07905,SHA256=02DE2394773E0B9EB316CCC5B5896E83259123314309968DBBA092A8D3488FAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897949Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:22.760{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=487A5EBD920724F59E73910D2BE3151D,SHA256=C697FD2E8AF04EDDAD3A9B8838A4EDFE238C4E94D6BB97475BCCBA5D05820485,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007986207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.625{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007986206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.625{3BF36828-E70F-60DD-C601-00000000C801}22524872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.625{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007986204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.625{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007986203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.516{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007986202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.516{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007986201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.516{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007986200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.516{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007986199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.516{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007986198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.516{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007986197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.516{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007986196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.516{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007986195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007986194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007986193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007986192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007986191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007986190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007986189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007986188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007986187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007986186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007986185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007986184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007986183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007986182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007986181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007986180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007986179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007986178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007986177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007986176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007986175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007986174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007986173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007986172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007986171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007986170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007986169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007986168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007986166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007986165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007986164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007986161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007986153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.500{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007986152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:23.502{3BF36828-E70F-60DD-C601-00000000C801}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897951Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:23.776{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CEF91B890FCD55646FF6C08753E6D66,SHA256=51F972D7AF2FAD2CE9EB7EDCE233A5B30B469EEA31DB1348F798209450B7EADB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897950Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:21.489{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51865-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000007986319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.953{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007986318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.953{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007986317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.953{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007986316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.953{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007986315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.953{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007986314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.953{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007986313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.953{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007986312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.953{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x80000000000000007986311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71A41F1EBAC943F621A80F726A54088C,SHA256=201648E0FC8555C8E00B3C14348EEEFBC87E299C6DCFC90541BC8610C42DB5F9,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007986310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007986309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007986308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007986307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007986306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007986305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007986304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007986303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007986302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007986301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007986300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007986299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007986298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007986297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007986296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007986295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007986294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007986293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007986292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007986291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007986290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007986289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007986288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007986287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007986286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007986285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007986284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007986283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007986281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007986280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007986279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007986276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007986268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.938{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007986267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.940{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007986266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:21.406{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62120-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000007986265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.313{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007986264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.313{3BF36828-E710-60DD-C701-00000000C801}35324816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.313{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007986262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.313{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007986261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.203{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007986260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.203{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007986259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.203{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007986258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.203{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007986257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.203{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007986256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.203{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007986255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.203{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007986254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.203{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007986253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007986252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007986251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 23542300x80000000000000007986250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9189D6DDB6C2BB2C015F5C8277A76B3C,SHA256=AF17D2FE381CFF4970027BE1F2CFDB65E024150CD733037625E4463D5D95C169,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007986249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007986248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007986247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007986246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007986245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007986244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007986243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007986242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007986241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007986240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007986239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007986238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007986237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007986236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007986235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007986234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007986233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007986232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007986231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007986230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007986229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007986228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007986227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007986226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007986225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007986224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007986222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007986221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007986219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x80000000000000007986216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007986209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.188{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007986208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:24.190{3BF36828-E710-60DD-C701-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897952Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:24.776{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3F8EDA21BC1A21E8DB704C90634325E,SHA256=64F0DFBFFA9227BD885090B5B606C906921233C26FBFA47FC3A7D67468E3231D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007986380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.766{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007986379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.766{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007986378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.766{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007986377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.657{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007986376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.657{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007986375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.657{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007986374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.657{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007986373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.657{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007986372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.657{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007986371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.657{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007986370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007986369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007986368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007986367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007986366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007986365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007986364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007986363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000007986362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007986361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007986360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007986359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007986358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007986357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007986356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007986355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007986354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007986353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007986352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007986351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007986350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007986349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007986348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 23542300x80000000000000007986347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BCFD5E7F2C65435596A37582E3464C7,SHA256=48F840FC1AC9F8199B59A9B242D3B466D29A1EA9F82298BF7E9A258A1AA66C56,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007986346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007986345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007986344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007986343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007986342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007986341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007986340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007986338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007986337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007986335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x80000000000000007986331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007986325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.641{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007986324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.642{3BF36828-E711-60DD-C901-00000000C801}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007986323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.063{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007986322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.063{3BF36828-E710-60DD-C801-00000000C801}17964948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.063{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007986320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:25.063{3BF36828-E710-60DD-C801-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000015897953Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:25.776{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B61A5E894BE65A536FAEA3EB58C34ED,SHA256=4D9D4D87D7D8322F07E6C5D074C03B4770EC04043A83A3828013E604616824CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:26.313{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F95C30EA65ED86FE46505A1E287E7F7F,SHA256=2AE41D2EC837360230E8980DB022CE2334B3D66F58AA111A1308B6A05DD16177,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897954Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:26.792{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FFC71CB1150D1B118293156BF829594,SHA256=881BBCBBB35B3850F373D4A1F2B8F667ABFC5F9ADE1B261B639969546617221B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:27.812{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25026E64F24DA2F96824F0BF83D78E32,SHA256=32C5DDC7FC63182BE5B61153F71DC8F247C7D32EF60FB1240A1BE4BBFB818442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007986382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:27.062{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7866B2301E0A7E794E03CB52F522E5E7,SHA256=F7A59A226C20CFCA0C50F0022B672B717E4DB55B1E40AA7A46AB706CC0A69A41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897955Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:27.806{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60EAD451737F5A9C914A24646D9A5931,SHA256=5A73185A87DB7334EEA759F166965D50FD158F1F294FD16994ACC37D16DD5203,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007986384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:26.420{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62121-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897957Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:28.806{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AA56E047E29313A601AEF27D957EA16,SHA256=05C638A8EF3C064EEAD264FC98C269E0D8E701198EAF39E50FE7738AC9F33183,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897956Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:28.306{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:29.265{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D1D722635A4087A5D2964743A5FD8DB,SHA256=3D48FAB5B7D7C625CD3635F8C997757C8B6ACF62EC1EFF82535812740AC2F33D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007986385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:29.265{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654483211EC6F4E7EA8A472658E4E103,SHA256=9AF84B20971B31B4EE3D56687FF871C98FBDC76872996C2FFF4F6023551675F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897959Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:29.822{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F9FE83071468689636007D694DB2D7A,SHA256=B8C1C525FB12843342D1C74F3A589E89A5540854B6F428343A790A4DADFEB9BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897958Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:27.504{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51866-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897961Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:30.885{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B10B94F35CEBF0259B27E8E50AA49E9,SHA256=6B23BBF8287E5490232E124117CA614AC54A5C91165C8163785D53E9CBA94061,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897960Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:27.598{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51867-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000007986387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:31.296{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF9CBFEBF13B7EFDD9EE7EF55E8BCBB0,SHA256=73112DB9FEAD705C58B98BF0B85BCD4BC737AEF2EBC409D3F9BE9EC03B9BC37F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897963Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:31.900{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51C02278A9A662D425348787257B318E,SHA256=BCA804286A34256F658E44425B65B80417C62568800FED18DCE0C4F1EB84E23B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000015897962Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:02:31.900{B81B27B7-880A-60DC-1100-00000000C701}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d76e92-0x7fcaf820) 23542300x80000000000000007986388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:32.984{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA31A9994EFF1EBC4E31762418DCBF64,SHA256=0631B04ED43426C04D3067055121FC7E673C9786FB65D7AAC5E207CAEE12C70F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897966Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:32.916{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9470E70863A6147D4E625E962D42807,SHA256=430E0EAC6DEA7F196984A9520CDFB177B9D22412FE2E9F851281F833D173A9BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897965Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:32.916{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7262103729208A861CB009D0825C2B9,SHA256=D48974900505A4E878D4FC5388ED5F93881EA63B51A5ACB1C459C8C9D5C34CE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897964Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:32.916{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4043F011700C7F7E5318C764399682EB,SHA256=69293B968A5400D9A1A2CBB91229D13B66DBE9298F202D62BC9F95938F781758,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897969Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:33.947{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA06DAB9A366F1673D2D19CA9AF91746,SHA256=9843116B1C22195823B0BDD4C3BA1865A154BA939C5FB33D9787F94F17851176,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897968Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:31.191{B81B27B7-880A-60DC-1100-00000000C701}988C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-987.attackrange.local123ntpfalse168.61.215.74-123ntp 354300x800000000000000015897967Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:31.191{B81B27B7-880A-60DC-1100-00000000C701}988C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-987.attackrange.local123ntpfalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal123ntp 23542300x80000000000000007986390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:34.406{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18D29B56891E6A7670B5223848A5D6EB,SHA256=8FC048992BEC4FD0852FDFB317A1FB341BD134B9847369A042903BAD8F2DEF8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007986389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:31.139{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-128.attackrange.local123ntpfalse10.0.1.15WIN-HOST-987123ntp 23542300x800000000000000015897971Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:34.978{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5A6454644EC15A8D7562C6E3401FBE3,SHA256=A3E086497F90CFEFC828E91A7A1F121151DA2775050895A2A916321C57DA6655,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015897970Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:32.535{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51868-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007986392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:35.093{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FB91447FB87EA8CC3B7B26F905C98C8,SHA256=2135A1AAE49E020787C9586BA9BF9DC56CD7B301A40C060AF3435B62A997B69F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007986391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:32.467{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62122-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007986393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:36.468{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47035EC9BF88B51BFE81860EF5C9D0E2,SHA256=5F27331FB16F24328F597A8A930F9621DBA3E33F2D30D6A6B97A9516184627B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897972Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:36.025{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D2B98C159C21CCD844447705F8A34C4,SHA256=843C191E42DDB5B21322C5BE943FA6ADCB1BC6EAE96BA6AB6328D2859180AD38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:37.843{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56FDD50FEA7A9DDAF00ED5074E85BFA0,SHA256=C4D7AAA9F3951F1F3675DFC419A8E5DDF1EF6E143BC80321A91429BE86BCE998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897973Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:37.041{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF2CBA9D152BE53A090C320878ADCF0E,SHA256=2DDB78C42ED1E03997407819954F164756D6869B0B195599EAD5928711CA0F0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015897974Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:38.088{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01D30513A457E05A3B4722A212A733AB,SHA256=CC9C2DD43056A8AE6B7F2E668967A04AAF8A75227CD7C385D0E4F8BEB3A76788,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:39.203{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64C2D8B882991E599F5CF5C3EB02414,SHA256=A31D4370A4CF4185F77350B6FB4454674FDBB0500A7B85F59B16478E3B02A544,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897975Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:39.103{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2711B01121CA4D94AFBDB0E2087665DD,SHA256=AD7E882D7554DE1613FD9B11F69D3436F1CD42B98D3B66B785AB12567890876F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:40.578{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38D4B31D6208B56AB3CE2D1279E9F04D,SHA256=4F1855A62F86DEEB058A47599E007A6875B1A366664C3291491D3D5629AA1B1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007986397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:40.578{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F3337361887828C119FFA01FCCF11CC,SHA256=DF6ADC102F514471BB55390BC159CDF53C7476A79C6350BF12D2144300ABF104,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007986396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:38.233{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62123-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000015897977Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:38.410{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51869-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015897976Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:40.150{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7008DFAA00B044BA0748C1019690558,SHA256=9CC94A98DE82983CF372809BC8BD1BCA76A60777B7AE349AC31B450CB967741B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:41.946{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E01EC7579EDECD075BA9E628BF2A28B1,SHA256=7B0AB7F75D3DEF832D872D42000A4186996410452DEEFE1AE759FF8B27B40B32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015897978Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:41.181{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE67A67182F738FFD7E01D294316E22A,SHA256=9AE7B63EBCE4A2F09723ACEB3ED32BA11F819D0806AB0F1C63E1212E613B50B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:42.336{3BF36828-DD0D-60DD-1200-00000000C801}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=61737C01B4A0004825FAC13BCEA0EE0F,SHA256=AF3DFDDB7B0F1D2A3BA1C7EEC93875BFC3A97871D142B64E705CE31FEBA5058A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015897992Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:42.947{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E722-60DD-082A-00000000C701}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897991Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:42.947{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897990Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:42.947{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897989Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:42.947{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897988Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:42.947{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897987Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:42.947{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897986Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:42.947{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897985Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:42.947{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897984Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:42.947{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897983Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:42.947{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897982Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:42.947{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E722-60DD-082A-00000000C701}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897981Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:42.947{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E722-60DD-082A-00000000C701}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897980Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:42.948{B81B27B7-E722-60DD-082A-00000000C701}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897979Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:42.197{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18C081069F637EB89B2CF3717C9CDDA1,SHA256=843AC02D9105DB19194E370F9B935E0552504544DCDBF73B6617678F1BD3786C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:43.308{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51132B3556469880A6B2928A02CD6A7F,SHA256=101699D35C5539F26F88D141FD3FE5E0270AFD8EC0DCB8E7E8BBA2F21BCE8EE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898009Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:43.978{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62FE9B5F6E5CD0EE8B9A5E1D0E43DB7B,SHA256=EF453B482B2FB3B6DFB8B62EC5BF851AC749399815944612699E3B2E1202B9D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898008Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:43.978{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9470E70863A6147D4E625E962D42807,SHA256=430E0EAC6DEA7F196984A9520CDFB177B9D22412FE2E9F851281F833D173A9BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015898007Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:43.791{B81B27B7-E723-60DD-092A-00000000C701}7323432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898006Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:43.588{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E723-60DD-092A-00000000C701}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898005Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:43.588{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898004Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:43.588{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898003Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:43.588{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898002Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:43.588{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898001Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:43.588{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898000Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:43.588{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897999Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:43.588{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897998Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:43.588{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897997Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:43.588{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015897996Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:43.588{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E723-60DD-092A-00000000C701}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015897995Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:43.588{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E723-60DD-092A-00000000C701}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015897994Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:43.589{B81B27B7-E723-60DD-092A-00000000C701}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015897993Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:43.213{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B91A5C328FA62C0FC561940E64373660,SHA256=E2B28CF4AD81F686E64F469BB912098D245D1471B787E009AF35C4D1727DB02C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:44.667{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C24263960D1D5B84CFC9E7B6AA2E2740,SHA256=C8C25E948E79CB7E58415DA68A2405043A5D412F96C09687411C1B74C9020BE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898023Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:44.244{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=210647EEA2C43D5A52DCB52033407F3B,SHA256=B53F6E0486E5BBDBFE97731E4C80DDA5DD721B5B4342D7F3A58686302EBA46B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015898022Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:44.213{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E724-60DD-0A2A-00000000C701}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898021Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:44.213{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898020Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:44.213{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898019Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:44.213{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898018Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:44.213{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898017Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:44.213{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898016Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:44.213{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898015Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:44.213{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898014Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:44.213{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898013Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:44.213{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898012Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:44.213{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E724-60DD-0A2A-00000000C701}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898011Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:44.213{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E724-60DD-0A2A-00000000C701}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898010Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:44.214{B81B27B7-E724-60DD-0A2A-00000000C701}5168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007986403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:43.259{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62124-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898025Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:45.478{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C391589127CF4B913FBB5443624D193,SHA256=A26B97E02440A63A73DF0BEE41258D7F967528CB65124D09C65D2C560E73AAE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898024Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:45.244{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62FE9B5F6E5CD0EE8B9A5E1D0E43DB7B,SHA256=EF453B482B2FB3B6DFB8B62EC5BF851AC749399815944612699E3B2E1202B9D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:46.042{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F16B7CDD5CB0C259D9ED4B0A0AC0043D,SHA256=813E600ABD9100A16E6A38E1995491DA98B46EA5D146465CC3375BA817CFC2C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898026Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:46.494{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF0B5E058ED074004090B701DD85BDF,SHA256=D42A3CCCB06E0BA92A1FF86F58460B2F20764EB711454992627F2D3275409C09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:47.400{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7607BA960AEB06CE51671D3886075A69,SHA256=AC76257301F4CF27AF028704B96A424E7384A08D82ABAECC2E0D5B41D086E833,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000015898056Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:02:47.895{B81B27B7-880A-60DC-1100-00000000C701}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d76e92-0x8953a598) 10341000x800000000000000015898055Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:47.864{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E727-60DD-0C2A-00000000C701}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898054Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:47.864{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898053Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:47.864{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898052Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:47.864{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898051Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:47.864{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898050Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:47.864{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898049Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:47.864{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898048Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:47.864{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898047Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:47.864{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898046Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:47.864{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898045Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:47.864{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E727-60DD-0C2A-00000000C701}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898044Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:47.864{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E727-60DD-0C2A-00000000C701}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898043Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:47.865{B81B27B7-E727-60DD-0C2A-00000000C701}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000015898042Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:47.582{B81B27B7-E727-60DD-0B2A-00000000C701}9525388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015898041Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:47.504{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66CA73BD714538F28AE82E40D68B081E,SHA256=C227C7DDE3A8C97F75AF9A06A59E89B47BC664E073E11EC4452AE2F8B324BC17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015898040Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:47.363{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E727-60DD-0B2A-00000000C701}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898039Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:47.363{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898038Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:47.363{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898037Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:47.363{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898036Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:47.363{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898035Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:47.363{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898034Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:47.363{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898033Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:47.363{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898032Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:47.363{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898031Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:47.363{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898030Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:47.363{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E727-60DD-0B2A-00000000C701}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898029Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:47.363{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E727-60DD-0B2A-00000000C701}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898028Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:47.364{B81B27B7-E727-60DD-0B2A-00000000C701}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000015898027Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:44.441{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51870-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007986406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:48.775{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42B3CB1B6F911E4ED4BABD7D83FC0DE0,SHA256=9F45C9D05D5B38E45756F0551DE47EF3CB6CF330DA86C34EB29B2A09123FBA21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898072Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:48.520{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F44587D2FEC777B1951F60352513B64,SHA256=8CE4380CB819BC2BD12CDC9B17C18D88ACD8D7C7DFE63DCC701DCE96680EF10B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015898071Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:48.489{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E728-60DD-0D2A-00000000C701}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898070Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:48.489{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898069Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:48.489{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898068Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:48.489{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898067Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:48.489{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898066Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:48.489{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898065Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:48.489{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898064Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:48.489{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898063Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:48.489{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898062Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:48.489{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898061Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:48.489{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E728-60DD-0D2A-00000000C701}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898060Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:48.489{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E728-60DD-0D2A-00000000C701}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898059Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:48.490{B81B27B7-E728-60DD-0D2A-00000000C701}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015898058Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:48.395{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59C8FC7D08BF771440BCB147FF807EA5,SHA256=51A244C879F0952F9E09CDD5883AE8E028283F7CAA2E61518A7383A30F90406A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015898057Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:48.036{B81B27B7-E727-60DD-0C2A-00000000C701}26284300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007986407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:49.447{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=510B8509BCD0B849D86DAA073691E804,SHA256=8C4A3602F32ACE7D12E1F07B2A017A9D9C6593292A711E1730F3DB5C38F05866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898088Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:49.751{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BC897EB880825F22EA6A748F6D1E5EE,SHA256=956B3B89C2F865B543CEF266E560D8C15BAB2C38B02B05CB00AC01E98E52607F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898087Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:49.533{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61D122B20D284A52495751A7527CCB20,SHA256=114DC24D769A2ABB90C24CA73F9851539A8114193A8270ED2C8486A02D425386,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015898086Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:49.314{B81B27B7-E729-60DD-0E2A-00000000C701}26844688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898085Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:49.158{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E729-60DD-0E2A-00000000C701}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898084Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:49.158{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898083Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:49.158{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898082Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:49.158{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898081Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:49.158{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898080Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:49.158{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898079Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:49.158{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898078Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:49.158{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898077Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:49.158{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898076Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:49.158{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898075Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:49.158{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E729-60DD-0E2A-00000000C701}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898074Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:49.158{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E729-60DD-0E2A-00000000C701}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898073Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:49.158{B81B27B7-E729-60DD-0E2A-00000000C701}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007986408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:50.134{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8993AD16B7DE2D4DA44EB442DBE68D1C,SHA256=0486FE8B230C481096C8292DF7BA23EA6198D66AD1BCC06E0027420B2756933C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898089Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:50.754{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F44BD430F281258520A3412B97FF18,SHA256=193F12E3E3D21319FE2F53A64489E18588E8ED0A0CCA5A6DFDF44F50CB5A903B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007986410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:49.242{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62125-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007986409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:51.494{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B5C02152DCBABFBD7E85DBEB17A23A3,SHA256=6C4ABE5D70F2D044FD998F9364BFA22A8F5B52932B9EAE0712EEAC76822DC866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898090Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:51.786{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C2AA13F73B185BBD8D13472150D25FF,SHA256=D8BFE1F6812DDCB2C2372F5014AD834A194C3284E1D062E69914A8CE06B64DCA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:52.869{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96E2ECE1443AC7F42A0107A0A83E2B59,SHA256=76D977823A4BD0AB017CF6409037AACEC440FFCDB514A29E2F21D52781BF9913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898091Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:52.801{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB9E28D29182B7B37E140A8BD333F10,SHA256=1CF3BDFDB4F17D736E66A987BCC6757CD5F6F5051531046FEFAA68D12CC6F748,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898093Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:53.817{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62D037B4B1B4A9E06654B59EEDD39E1B,SHA256=BAFB97D2668DCE0067BB42B28065A17551309D8A8236ADEE62145D053B39201C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898092Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:50.343{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51871-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007986412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:54.228{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE3975692851A952143F54FC99B5CEF,SHA256=6A38ED9C7781EBC8B04A87E62B504362EFD4F1CAE2D21F06C6998029275C9D5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898094Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:54.817{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07F3CA33807230450A9ACC0398D664E8,SHA256=7DE50D9684219932B70239D0DE81D34F72ADBF26EE877A65D1AE269626D9CEE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:55.588{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F72F14EC2A5BB534FDC553046A8F3F2,SHA256=CEB0626F96C52A2606EC7F443352A5A904D84AF6E6EE79304DB56D4C4C0A7B98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898096Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:55.833{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8025568152FE8AAD0B6D4237E407A2EE,SHA256=4C16B51128B76897229AC570470182F072EAFA941639F861216B60CDD1B4513E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898095Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:55.317{B81B27B7-880A-60DC-1000-00000000C701}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=12F2AC59A0DC7AA896FC8D04C5BC6574,SHA256=6C2CF29DBAC60FAB77F6BF625E63EF328B31756410638013E0522B0E6CA5974B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:56.963{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC145239BFEAE01A339A2DF24A823DAC,SHA256=D2D5101DC736C0D0349842EEAA4BAC3289884648A36C8DF9D872E30C9DEC5AF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007986414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:54.304{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62126-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898097Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:56.848{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC5D02E11F04B387D43606B95A0BCFD,SHA256=E6D1159AED6B1DD4D6FBCAD70E2BC4E9692535DE91071B20689441BFC3BAA14F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898099Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:57.864{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA2C20036A9C61596E58ADF2E17D1BF7,SHA256=F4829DB7AC03DAA7BA9E9718A67704DFEC9F00AD055411724D7FB0D0128CB52A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898098Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:55.436{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51872-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007986417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:58.322{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A97596218BE9714B341F4F0ED74FD6B7,SHA256=182DB13A1217E72FAE6C7DD710FE2881FB3EDCD7CEB5757C984D8CCCAA36063E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007986416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:58.322{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE6E2775C6129F27DAFF1B30DDF7B61,SHA256=F79EBE7BDB0FCEBB11E3AAFC77C0B7256BA3947A2EDE1ED4394749B346BE2291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898100Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:58.926{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD91FE82131CF82FC70D2CE8574E1D84,SHA256=BC5F0B09BFE9E93FFA5567F8EBB5308B6707D828283CFD5488CA67FFE9F7C2DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:59.681{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23EE0D7A2A0E1393AF209776D2697EA1,SHA256=B0C01D29FB7E22DA92A5071963DA0B7162BC20CA68932CB9097B75ACA6294F1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898101Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:02:59.926{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=455FB4813671582D2B4E5ED60E9E9023,SHA256=4458CE81B38E88182AFF4F04D7FEE2A9372256F7D9D49BD86EB045477C3AFBE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898102Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:00.957{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=744E4142DF9D8C12CE553CA4CFD62BA5,SHA256=1FAF3B0537559CD9E9E014F405E36BD3DB413456D6A349A100EE3076E819C094,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898103Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:01.973{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67C7A77F51E06EB4EA0F3ECEB9200E66,SHA256=0227E644D721C1C2A9DC2A417D9D01B30085C1CBCA49E87618063AE7DD9D79B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:02.385{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1787A807C670BFE869AC268F5AED870,SHA256=EA0F06E7768BDC563B575F2B82E75592291C99E01D44F24DC49BC6659007567B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007986419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:02:59.367{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62127-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000015898104Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:00.546{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51873-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007986421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:03.400{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A533D974DFF135A1EDEC438571EDE81A,SHA256=FD7BF64996DCE02B79AC347EB52EF2C45675EE9354BB7F299335F6A2D081930E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898105Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:03.004{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5DD634FDE07E2920A5DF97CF181FD2,SHA256=F8ED482E7772809896E9D2D77B3768971B0240C7B90DB9E874943E68B4F19867,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:04.775{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85443F4669D639C15D472AC8D21CFE04,SHA256=2102536BFBB684D82D789B3B7426EBAAC7F7C3B9EF704643915F6189940F8806,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898106Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:04.035{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A41A7BED88DD165E82A7C2142D88495,SHA256=47FD8420AC0AA6D318CD7BCE89E0C15A35A318FB99F82403647891ACCEC5DA72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898107Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:05.083{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=259EC489C6A1BB813E22331B5E7F2070,SHA256=69C567DB09ED62C56FA58AEE6AC6733E7FC04BA1B63E8782D1059E92EB21856D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:06.150{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F217196D57D13AA83632F0C06A6C0747,SHA256=197EDF55F5E1CEB0805A80AE96C154679C18C55153D991686D1EA47FB441C068,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898108Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:06.098{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4260E223A89848A6D052D12E22DF77C5,SHA256=4DE55A8478C3F8A2BDC0DD3100CE135F615DB01C378033B00D35837994386EC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:07.511{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=195054E5AF200E6023EBB3218C533CFD,SHA256=1DB7A4E90AE567732BAB85D52F48AF8BA11E556135524D3A38165762EE6EC2B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007986424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:04.445{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62128-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898109Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:07.114{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1FC23EEB78C0943846F3A477B69DD33,SHA256=F451115392E87D3EAB084CD7C6629BE508F873A2649E8060EF462F184A27684A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:08.871{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579951C2D6AFFE3B26E555194C3DB738,SHA256=7DAF7D68DF2FB2F480773D8A0472DFF09187A579AAE9B8F9D215E2CDBBFDEF60,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015898111Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:06.311{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51874-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898110Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:08.130{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD034D84792F0495DD671DB382E486D1,SHA256=35E441C7C00BD2411ECDAF3D60B614CA8FB4DB972932AD1C63A20961F32AB884,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:09.558{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1F41C8F82E2E9424A19C0CD4CEB3FCB,SHA256=20CB258173292704F3FAADB81512B9DEB55D6EB2A4BC6AF908810EE516D31893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898112Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:09.145{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D11D2052F64D96240957608F65EAF970,SHA256=5D923449140263A755F4ED734F8C628B24C86BD27EC4A3B8E214DD4D20D2C683,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:10.246{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC187A77FFE925371DF9DA4CBACE6FF4,SHA256=78894D9F93CED91E0167E1C41E07A1AE0F5D22697A8E0C360B93DD505BEAB055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898113Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:10.177{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB5A152D328188527B66EDD1E6A9B5E7,SHA256=373D5FD8FF490612F76FB5D7D42A9DD34C2B8DB0D8C5E5E305D853D60E0829EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:11.605{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0A29FF1DB300F1808708C0F14104DAC,SHA256=5C3142BBB8F2531AFF5F87AE026CEA8563CC9073F155F04D4347565CA4ABE8C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898114Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:11.192{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48889AE0422F403DE5DD3BFA88B1E0E6,SHA256=38431604DBEF8EC1F0A12CD35B4E96EDFE3118B8401E16ADD82309884816EC27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:12.965{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91BAD53A0B06CDBFA4C1EC60CE6ADB2E,SHA256=36DA4BCF38E6F4747BFD6498AF216E29CAB236A6E27BE068B1672A71D10AE84C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007986430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:10.259{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62129-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898115Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:12.208{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EDD896747BD684CA93F0A4BB931D9B7,SHA256=C4248A7D576EBDF89D088C48B995B255CCE0081AC5ABDE3792B020A02581672D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007986433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:10.728{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62130-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007986432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:10.728{3BF36828-DD1D-60DD-2F00-00000000C801}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62130-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x800000000000000015898117Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:11.437{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51875-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898116Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:13.255{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246FE1BDDA94F3D2114ED08FB810AB95,SHA256=1875713DF364CDB306302EFDAB5B0FC8934F29DC1642E9A3C3FD2431F2042CD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:14.340{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DA0A27684B5CFFB52B190A210C3BA4C,SHA256=5FC65D0E5BD5C1C220CC5831132065CB46464254FA1750DCD6DA9FB9BE4A08CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898118Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:14.302{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=653DFE425EB2E8C8A903638144186A42,SHA256=5ACB5A4104F9E6427732EE27F06605A07667E894ABCD1C4045756D18C87599F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:15.699{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D4FC24E2BCF1E9D6A32C2756FEEF75,SHA256=1C5C5EEA0C50F65283A516F35EF2D5BB89D421052A0CB59214B4F34216256C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898119Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:15.348{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F574A051BEB18218B78D0A6CED536733,SHA256=490B8C89A20F8132C02F863F06D2E7706563A742B11C673712881D1C42199E34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007986491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.511{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007986490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.511{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007986489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.496{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007986488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.402{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007986487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.402{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007986486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.402{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007986485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.402{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007986484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.402{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007986483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.402{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007986482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.402{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007986481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007986480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007986479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007986478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007986477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007986476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007986475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007986474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007986473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007986472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007986471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007986470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007986469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007986468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007986467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007986466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007986465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007986464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007986463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007986462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007986461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007986460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007986459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007986458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007986457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007986456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007986455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007986454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000007986453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007986452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007986450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007986449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007986447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x80000000000000007986443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007986437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.386{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007986436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:16.388{3BF36828-E744-60DD-CA01-00000000C801}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015898120Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:16.364{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4EE7681A6C309CB61E4942FDD3A4BAE,SHA256=0DDFFD15A00C092569E8C750356506D8D623A999B0468AA5D72186E66662B25A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007986549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:15.462{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62131-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000007986548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.199{3BF36828-E745-60DD-CB01-00000000C801}37682248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.199{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007986546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.199{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007986545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.090{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007986544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.090{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007986543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.090{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007986542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.090{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007986541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.090{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007986540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.090{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007986539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.090{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007986538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.090{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007986537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.090{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007986536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007986535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007986534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007986533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007986532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007986531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007986530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007986529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007986528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007986527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007986526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007986525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007986524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 23542300x80000000000000007986523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAB9A1E96B2C0DC6958EFFD9E614BCD1,SHA256=DD9BC5E5DB60C79667547A058E673095B0B306FC778BA9D3147F1FB79AB5E00C,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007986522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007986521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007986520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007986519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007986518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007986517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007986516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007986515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007986514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007986513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007986512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007986511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007986510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007986509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007986508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007986506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007986505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007986502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x80000000000000007986499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007986493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.074{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007986492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:17.076{3BF36828-E745-60DD-CB01-00000000C801}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015898121Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:17.364{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DD3888BCE96EE86362EF7BBB53A8A14,SHA256=52EAA90D5B3FFE9B6F9D02F1ACEE10A0995F2EB318F5606D70EC8B927015CF70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:18.433{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=674EE48AD0F7D481B393FCCDD45553D3,SHA256=163D7FA0960CD7E3F75094F91CFBAEF06369FF95AE1907E3D126BFFE3518782A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898122Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:18.364{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77FA760BD6AA95AEC019C2592FBCF491,SHA256=82B6841F2173ED94C575AE05A5DCE19A2EC4A01571EB03E9C5C433FE2C103D27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:19.871{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE70B285CBC6DCFAED593FCCF4FA9F5,SHA256=44959387D6A033F704A4D0693EE3B40445DAE35BF35F119834C82EBE04E6884D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007986551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:19.121{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03FDDBEDC89213B7D40E9A09FD994B56,SHA256=DAE4A56AD1C6B18BBF459129685B49E655495E89950FF9A8E2966A451CF4286E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898124Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:19.364{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AF6F11447CF6742ACECCCA582FAA04F,SHA256=165286CA1E9DDE39C8412AD51C18CEDC2F7BE42D6581949D10DB3EF123791D97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898123Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:16.515{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51876-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007986553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:20.840{3BF36828-DD1D-60DD-3000-00000000C801}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898125Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:20.379{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=011DAB191E3B74F624457A047B5FF540,SHA256=684C81DB5D94407CF592E05051283C7A23223DAADAC5DA76C6BA168EF49E7C08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007986603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007986602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007986601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007986600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007986599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007986598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007986597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007986596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007986595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007986594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007986593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007986592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007986591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007986590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007986589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007986588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007986587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007986586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007986585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007986584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007986583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007986582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007986581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007986580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007986579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007986578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007986577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007986576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007986575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007986574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007986573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007986572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x80000000000000007986571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007986569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007986568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007986566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x80000000000000007986562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007986556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.980{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007986555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.983{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007986554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.293{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7302715D7F1F9BE05815F531F94E8A8E,SHA256=4068C48D96CE95A554FCF70E90E04F70F92C0693432DD1F9879335A593BECF28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898126Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:21.395{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F148ED18052116E4C9265220B1B6DFA,SHA256=4BCD3DB11CDEDCCEEEEF64F61689AEEFC387DF8BCB7565CDCE9B617BD5EAE700,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:22.668{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F19350E1D098338F32C68636836131,SHA256=20B66D5F8F9314B8AB10B5F5129FDD0E523607CF5AFBD9C0AD7988D1DC75964E,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007986614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:22.105{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007986613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:22.105{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007986612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:22.105{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007986611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.996{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007986610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.996{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007986609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.996{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007986608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.996{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007986607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.996{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007986606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.996{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007986605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.996{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007986604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.996{3BF36828-E749-60DD-CC01-00000000C801}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x800000000000000015898127Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:22.411{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EA5D8F054EF013A68928F05BC825BDA,SHA256=FAE90AD694DD23496D460431DBFFABD7E7ADCEE4A0FC4EE13F1F91C7DE7AEA7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007986618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:21.415{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62133-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007986617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:23.355{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB702587746A9960FEF32E48359CBA53,SHA256=3B1F977E43F191D0CDDDBD6DA3BC38652417638107107DB3FDAC6535B82BCC24,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007986616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:20.040{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62132-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015898128Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:23.426{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4854F7A31FECE7C28E069EFA844A8556,SHA256=48B0370F48F9F58DF8D509238238AB3F4247AD94E39CD290DA87E55386C7FA61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007986731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.840{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007986730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.840{3BF36828-E74C-60DD-CE01-00000000C801}46882408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.840{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007986728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.840{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007986727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.730{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007986726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.730{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007986725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.730{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007986724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.730{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007986723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.730{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007986722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.730{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007986721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.730{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007986720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.730{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007986719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007986718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007986717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007986716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007986715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007986714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007986713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007986712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007986711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007986710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007986709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007986708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007986707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007986706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007986705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007986704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007986703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007986702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007986701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007986700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007986699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007986698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007986697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007986696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007986695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007986694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007986693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007986692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007986690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007986689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007986688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007986685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007986677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.715{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007986676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.716{3BF36828-E74C-60DD-CE01-00000000C801}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007986675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.168{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007986674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.168{3BF36828-E74C-60DD-CD01-00000000C801}37402520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.168{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007986672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.168{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007986671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.058{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007986670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.058{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007986669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.058{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007986668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.058{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007986667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.058{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007986666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.058{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007986665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.058{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007986664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.058{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007986663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007986662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007986661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007986660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007986659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007986658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007986657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007986656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007986655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007986654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007986653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007986652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007986651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007986650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007986649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007986648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007986647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007986646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007986645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007986644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007986643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007986642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007986641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007986640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007986639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007986638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007986637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007986636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007986634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007986633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007986632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007986629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007986621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007986620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.046{3BF36828-E74C-60DD-CD01-00000000C801}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007986619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:24.043{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABABB192791B36BA89951BC56DF31264,SHA256=0117603779CFE9D4C3CA4740626CD8CAF4CDF135812A26736AADD881AC242C4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898129Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:24.426{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0570C22EAED4AF22568F195DDB9843A,SHA256=63FABEFFE2CFF4C695CC552518A87FFDEC83E482759C83FCB4A99CA4FA7AC9C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007986789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.590{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007986788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.590{3BF36828-E74D-60DD-CF01-00000000C801}41443292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.590{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007986786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.574{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007986785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.480{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007986784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.480{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007986783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.480{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007986782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.480{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007986781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.480{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007986780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.480{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007986779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.480{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007986778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.480{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x80000000000000007986777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4E88A11DB76F8F60059E6C74F3084CC,SHA256=8B99625A68EACB2C9C2F5604886325DA84A5C4AC4ADB629A68B0912A65F68406,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007986776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007986775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007986774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007986773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007986772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007986771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007986770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007986769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007986768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007986767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007986766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007986765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007986764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007986763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007986762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007986761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007986760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007986759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007986758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007986757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007986756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007986755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007986754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007986753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007986752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007986751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007986750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007986749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007986748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007986746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007986745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007986742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x80000000000000007986739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007986733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.465{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007986732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:25.467{3BF36828-E74D-60DD-CF01-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015898131Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:25.442{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B7BA6D7D779FF4FE1013D4073C12506,SHA256=85AA0081D64F2EC416402F650ED603BE5EE960CBB03407FA9A8AF1D92ABEB4E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898130Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:22.359{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51877-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007986847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.855{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=044AAA45309FE842788A6087A5E83A99,SHA256=535D1183CF89DAF1D70B0BD3F6E4D1A7D9C299659C538E4155541E716F54A010,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007986846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.277{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007986845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.277{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007986844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.277{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007986843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.168{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007986842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.168{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007986841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.168{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007986840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.168{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007986839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.168{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007986838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.168{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007986837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.168{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x80000000000000007986836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFE0DEE7FEC2C17BA1202B0511160928,SHA256=A7F1E5E6BAE42EEE5D5F449AC39AF5A624A1338AA01CE4C3ED6BB8419ECDBE45,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007986835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007986834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007986833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007986832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007986831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007986830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007986829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007986828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000007986827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007986826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007986825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007986824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007986823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007986822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007986821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007986820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007986819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007986818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007986817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007986816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007986815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007986814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007986813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007986812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007986811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007986810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007986809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007986808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007986807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007986806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007986804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007986803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007986800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x80000000000000007986797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007986791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.152{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007986790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:26.154{3BF36828-E74E-60DD-D001-00000000C801}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015898132Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:26.442{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB52D8B147A04FCADF9D547AC4922BF4,SHA256=87ED812DA37A8C17B4E3CC489AC7D05BECF93FFE164B1419565088A9BFB1BD8B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:27.543{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC503BA863CB623E2949F532496E6E65,SHA256=67DE5909BFBBC6D8B5B012F1D2A3F2013FF5B66A0394D3B8D91B046BF9505EF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898133Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:27.457{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F62319E7650CEB9746149774523729E0,SHA256=0145F545DC45A5B42E496610D39884B8130871A997C95E469CA83E8BFA37EA7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:28.293{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA69C759C235A0C2F5C47F8A117105CA,SHA256=35F41736C6F27DAD47641213ED79921E3F18A22A050F0E362B5AD0845634BB2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898135Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:28.457{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED85BA4C77844201138F3F75B98495AB,SHA256=A5346B3FB46694E84DF087083A912C896C327E9E39A197BF833CA0985390DFBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898134Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:28.332{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:29.808{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E621850F5579705A65C1FC4BAC936F9,SHA256=3D01F458361A08AE4CC431B93C07591C2AE78180EB3645171C7B030F6448850F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007986850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:29.808{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937C24901B8388F5F000533E575BDED7,SHA256=4DFFD1782E6B8CF206206D717CF73947D637C1421C1BE6ED342E11F8E0D6EABD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898137Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:29.473{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D68CFF09973DDDB83B703587457FD064,SHA256=72877299B6172C313DA9028082D8FDD65044427E6A4E04BA9C0A3A46AA2690D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898136Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:27.405{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51878-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007986852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:27.352{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62134-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898139Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:30.488{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E10350DA3A0FCF3F9F5BBF608F3927,SHA256=62294AD022636FFAB010874ECADCAD82A4E12CB24E5F2FFA675C7EDD9360585F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898138Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:27.624{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51879-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000007986853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:31.246{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DAD69D6FE7C631163E76AD6D71F887E,SHA256=3E378072788CFBC865A44C265404483B647448F55CE9BBF92780CF9F26F1D66F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898140Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:31.488{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62F9A5935514F5C9BA693B625FD397EF,SHA256=3C96A3C128DFC83669D2DC1A2B10EF80ED2A4F3DC4B24AE27A5EAC4A8A355060,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898141Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:32.504{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9672EEDEE8AE7DF002BCF1C139F8240,SHA256=2FE684F133ADE48027CC268F16C0DD6347B7DE750BF0D7EAAF3D4846E49B76EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898142Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:33.519{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D029861012A01712A22D6A92E7C5D3C,SHA256=5BAD08D0170616F473D67155645502ABF36D10E325A6A13AEB3895A20860DD55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:34.949{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F59BC7D415B5F82C3102B85AA30E4FC,SHA256=EC981F746612A33DDF8B316D20045EE0676CCE52301C6F7029088A68926F0DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898143Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:34.535{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4B00C25A14237EE528413B0DAD3DE6D,SHA256=6709878BC8017E6528AB6938B7A5363938E16E93E34E72396F0B32BCF5A7F9E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898145Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:35.551{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BCE80E5A762D71A8BB20F43F43259D4,SHA256=432EAD08C80774EC30C4BCEC3B388F85054EE254E601B88FAA65CAE58ECB1556,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898144Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:33.437{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51880-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007986856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:33.337{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62135-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007986855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:36.387{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A5A5D62737FF0C5B1F0D7EE9439DEF,SHA256=D544DF368ACF0FC00E311A05E0AD6C561F15D4A7C814B28B58F9F0361EB6B9B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898146Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:36.551{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C502949C7116C6C25BF09FC84FD0BBAB,SHA256=7590A982FB027437B7421A9E663E38CB16B11B9AF1526F7B0E7359734892BBD4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:37.762{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD8ECAF426BC0886A8D3EA91DD501D1D,SHA256=2EA001774FFC470F027C4934BEBB1C654897170DF8C3C972F277301349F4A312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898147Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:37.566{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39CB4E5060DD91A37B338B1E3AB3DD09,SHA256=AEE850A479E93BF673A93E22F71F1698809CBFF14668A1510BB9A97F9E3F2B2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898148Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:38.582{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA9056CF4D6D4B2579D825FD13013B7,SHA256=5B05038735C1F92A014F5E307AA54D1046C8319C21A1FC87A95CFD46EF6628F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:39.121{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6A36CA0748D2E7D820D7303D363D726,SHA256=7E8D89B749BCDAF19FB4DF2ECA6FAFA64A34AC754D17C0F0FEFC39209F9615FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898177Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:39.988{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8742CDED8EDFEFADC4CF08B751A50FA,SHA256=87DDC2FC0A0883956BD53C9824FC9CFBAB41A288046EC1932BE44FFD51E8A1E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015898176Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:39.113{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898175Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:39.113{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898174Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:39.113{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898173Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:39.113{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898172Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:39.113{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898171Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:39.113{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898170Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:39.113{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898169Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:39.113{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898168Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:39.113{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898167Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:39.113{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898166Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:39.113{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898165Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:39.113{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898164Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:39.113{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898163Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:39.113{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898162Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:39.113{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898161Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:39.113{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898160Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:39.113{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898159Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:39.113{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898158Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:39.113{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898157Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:39.113{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898156Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:39.113{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898155Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:39.113{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898154Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:39.113{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898153Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:39.113{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898152Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:39.113{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898151Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:39.113{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898150Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:39.113{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898149Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:39.113{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007986860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:38.430{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62136-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007986859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:40.480{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B831051B28FD452E683D552DED1C9D0,SHA256=02F029EC79D11531A13CD2E5CF15C804D9D69D268F408A3EDD9A3C27FB24B539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007986862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:41.825{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63B40BA95802CEEF5A53F1BEBDC2B9C0,SHA256=C6235AFC7DC2CE7050C42FDCF4B41CF32BD02DE87047108B1EEB569962FB82A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007986861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:41.137{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95C5B76DC59542BCA8929AFA1804D92D,SHA256=B8E07FE2AF68106A755DC0BAB204701F12B556B58E20B623E10BAE9CC0D3A189,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015898179Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:39.389{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51881-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898178Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:41.035{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B17ED0ABB7F23BE52DDA36D0A89DFE7,SHA256=A433A526FF39B96717D0FF3BBC1CD38056CE1525088E6400E958709DA524E480,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:42.341{3BF36828-DD0D-60DD-1200-00000000C801}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=57D652352992BAE01DFB1A10847886B9,SHA256=5FF536C568141E966370E73E25E7403B603FA8080FBFBA3C44DCA57571BDFC35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015898193Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:42.957{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E75E-60DD-0F2A-00000000C701}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898192Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:42.957{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898191Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:42.957{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898190Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:42.957{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898189Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:42.957{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898188Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:42.957{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898187Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:42.957{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898186Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:42.957{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898185Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:42.957{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898184Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:42.957{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898183Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:42.957{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E75E-60DD-0F2A-00000000C701}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898182Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:42.957{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E75E-60DD-0F2A-00000000C701}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898181Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:42.957{B81B27B7-E75E-60DD-0F2A-00000000C701}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015898180Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:42.082{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=920F5895BAAB36B490A7910685BF06AA,SHA256=B8E9929BBF440E321B359CB5BF8A7C4EFEB3CAFF8AC7C7E8D7FD5DB930021771,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:43.182{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C1B93F0614156DE57CA2DDD0544C3BE,SHA256=0123C994D228F2921A14126C8C500997AB13596283A88146BDE485ACCEBC19CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898210Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:43.972{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF34F8D6F5EFF7E2FD7714304E0B9B05,SHA256=B25D7C228640810B85412AAEDAF3A8B864DCFE7BFC7C70D14A0F63D8C10A3808,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898209Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:43.972{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=017E7A9469946EA0E022E4AA6323A1D5,SHA256=96C98397CFA6C6C0B84DE7C3841C816E4EAB02C7C6CE1230872A49E6A0D59766,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015898208Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:43.629{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E75F-60DD-102A-00000000C701}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898207Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:43.629{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898206Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:43.629{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898205Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:43.629{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898204Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:43.629{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898203Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:43.629{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898202Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:43.629{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898201Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:43.629{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898200Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:43.629{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898199Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:43.629{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898198Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:43.629{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E75F-60DD-102A-00000000C701}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898197Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:43.629{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E75F-60DD-102A-00000000C701}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898196Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:43.629{B81B27B7-E75F-60DD-102A-00000000C701}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000015898195Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:43.113{B81B27B7-E75E-60DD-0F2A-00000000C701}30203044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015898194Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:43.113{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A63D53D98687EB67AFE6428E3D183A9,SHA256=803DA6FA9DFBD6B3E1DADB91F57468BF7C9E85E064E06EE0A7810EF5E48E56FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:44.560{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A79E4C72C2E736F7FFE050B4BCFC65B5,SHA256=BBD8403B992E83010B232C128BBAA9160E76FD7764A26565103719962AF87803,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015898224Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:44.176{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E760-60DD-112A-00000000C701}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898223Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:44.176{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898222Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:44.176{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898221Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:44.176{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898220Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:44.176{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898219Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:44.176{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898218Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:44.176{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898217Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:44.176{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898216Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:44.176{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898215Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:44.176{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898214Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:44.176{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E760-60DD-112A-00000000C701}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898213Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:44.176{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E760-60DD-112A-00000000C701}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898212Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:44.177{B81B27B7-E760-60DD-112A-00000000C701}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015898211Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:44.129{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D2009985694000123E8568B3FAD4011,SHA256=7AFE677B5556FD636F82D8A71B90CB2CB401CB4053F956B3FEA76D67C57F0F9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:45.919{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7BA531745D15FFB81BB15977D3880AE,SHA256=7DB0F2B9EAEE025C6A830510762382DDBBE8755B067D0DDDA561FE2D8FAF9AA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898226Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:45.254{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF34F8D6F5EFF7E2FD7714304E0B9B05,SHA256=B25D7C228640810B85412AAEDAF3A8B864DCFE7BFC7C70D14A0F63D8C10A3808,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898225Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:45.160{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD02738F8543B588157675A42BBDE0CB,SHA256=A219394D2D4C35008E534631CE5861270ABEEBF36608340EB88400325A614D73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898228Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:44.436{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51882-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898227Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:46.175{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ABE382869D6AE67BAB9DDC2C94A0A29,SHA256=DF8D073BA1F5902FFD0DED951104E93662CA74D68A346F22E6B162A657807169,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007986868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:44.306{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62137-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007986867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:47.294{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45AAA618FBF4C2E12190AD2DBF6518AA,SHA256=7330DDE42630B095FCC21B9B52992FCF41D8EEB9B0FA78257D69E068AF9B71D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015898253Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:47.552{B81B27B7-E763-60DD-122A-00000000C701}30045368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000015898252Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:03:47.411{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000015898251Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:03:47.411{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x055c84fd) 13241300x800000000000000015898250Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:03:47.411{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d76e8a-0x4abf0b07) 13241300x800000000000000015898249Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:03:47.411{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d76e92-0xac837307) 13241300x800000000000000015898248Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:03:47.411{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d76e9b-0x0e47db07) 13241300x800000000000000015898247Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:03:47.411{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000015898246Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:03:47.411{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x055c84fd) 13241300x800000000000000015898245Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:03:47.411{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d76e8a-0x4abf0b07) 13241300x800000000000000015898244Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:03:47.411{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d76e92-0xac837307) 13241300x800000000000000015898243Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:03:47.411{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d76e9b-0x0e47db07) 10341000x800000000000000015898242Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:47.364{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E763-60DD-122A-00000000C701}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898241Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:47.364{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898240Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:47.364{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898239Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:47.364{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898238Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:47.364{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898237Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:47.364{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898236Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:47.364{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898235Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:47.364{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898234Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:47.364{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898233Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:47.364{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898232Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:47.364{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E763-60DD-122A-00000000C701}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898231Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:47.364{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E763-60DD-122A-00000000C701}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898230Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:47.365{B81B27B7-E763-60DD-122A-00000000C701}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015898229Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:47.192{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC2A5D6B5F2E7B0754E3B9EB6D15EF9C,SHA256=C94FBCF667BB6D71C48C0A316396423C4B79B0928A9D04DFF4E8FC1DE9DDC61E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:48.654{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3336CC954A7FB12DED1311169FB008FC,SHA256=8223B3A41ECABAB94C37E35BF51AAD1607FFCADBC0B4689ABCE94A466CB43341,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015898283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:48.850{B81B27B7-E764-60DD-142A-00000000C701}32044468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015898282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:48.723{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BBEE3D0A77BC348DB542D9DB738D1F3,SHA256=3A489E944E8CB49C723F402B107FA77702588EE33A0D9E11F81811F547A38994,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:48.723{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68B1C37BEE6C11152AD5F8831908AE32,SHA256=0603228961DBFDC1438C9906F100A9B71A1F29BFD6D44DABD045069E3672E3AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015898280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:48.708{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E764-60DD-142A-00000000C701}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898279Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:48.708{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898278Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:48.708{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898277Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:48.708{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898276Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:48.708{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898275Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:48.708{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898274Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:48.708{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898273Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:48.708{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898272Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:48.708{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898271Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:48.708{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898270Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:48.708{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E764-60DD-142A-00000000C701}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898269Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:48.708{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E764-60DD-142A-00000000C701}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898268Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:48.708{B81B27B7-E764-60DD-142A-00000000C701}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000015898267Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:48.177{B81B27B7-E764-60DD-132A-00000000C701}34805444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898266Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:48.036{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E764-60DD-132A-00000000C701}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898265Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:48.036{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898264Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:48.036{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898263Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:48.036{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898262Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:48.036{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898261Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:48.036{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898260Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:48.036{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898259Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:48.036{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898258Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:48.036{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898257Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:48.036{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898256Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:48.036{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E764-60DD-132A-00000000C701}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898255Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:48.036{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E764-60DD-132A-00000000C701}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898254Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:48.037{B81B27B7-E764-60DD-132A-00000000C701}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015898298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:49.863{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C4FD5FBDAD271EADD2A0A03917D19E,SHA256=F4E70FC1BE0546C8EBDC2B97A95A928FFEB437E5A367A40D2C5EE185AB472786,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:49.863{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB960DA1A22CC022217C661186A2DE2E,SHA256=23FEE3681207F082EC42F010220052D2E85D0D3F3F6ACD883F0355E311F587DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015898296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:49.381{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E765-60DD-152A-00000000C701}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:49.381{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:49.381{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:49.381{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:49.381{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:49.381{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:49.381{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:49.381{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:49.381{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:49.381{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:49.381{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E765-60DD-152A-00000000C701}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:49.381{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E765-60DD-152A-00000000C701}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:49.382{B81B27B7-E765-60DD-152A-00000000C701}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007986871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:50.013{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93604F3B0A63F77E341CBD03DE13EA58,SHA256=F341EC032660AC3B6E632190F3C1CCEFA56E849F8885E5E4E34637403E8E5237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007986870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:50.013{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAFA3966FA985D22A52F668F323399EA,SHA256=8BE4ECA40CF4599685ED26884596084F1166B4FBEDB14DCC57E2C73F23F3AF5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:50.882{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3359D6C3A5B31E7861CDDBD82E2A260B,SHA256=0E841746A9BA3EA879EA0B79DFCAFDA257950523B54E98A3CAF5A8D158DB482E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:51.388{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F437D36E09B9C2E8417FA7769D5EDB5,SHA256=21E87A12EBBF9B19E1F2AF3001B4EBBF6F305C965AB1813F2464E39ED2DDB299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:51.882{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C2CC767C4F93D081057130FCDD4066C,SHA256=57CC04E4947374CE0006D3666297AB5EED5D0637E28C70D543F108BBCABCB3BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:52.747{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD74A7E577D5F1585E156DB60CA2144C,SHA256=D38421A79F3C750FC50347762901AEFC32D4B0AA3B9A3080AE0D8EA4D7F3A472,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007986873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:50.290{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62138-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:52.882{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA45765049C2DE0FC4294F18D97A1B99,SHA256=FA49D5728958B0F5D6B99F1C6162ED19E8F4FAF9B3555ED32496A6841E86B868,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:53.897{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C455ABD6A5958216B81148C2189AB4AC,SHA256=E438D10C9C0DE6A6BB40663D63A1B0F5125AECAEB02EBB7A580F015DB92C19D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:50.393{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51883-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007986875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:54.107{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=685FC43E49ACF8DC7B270EB4B08FB7CE,SHA256=606EC776DB8D843C9C29C71B221D75F25B7DE53F9543796551708328ADA0179A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:54.975{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D26866530EEBDED183D4E57613308D38,SHA256=D8AD50126C0DAC3727536AEAFD67623F202E58A51A6EFB604CB8A426B0DFB66F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:55.482{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=100EAC2EFF2EB3AE2DC510591945BC1A,SHA256=24CFA8E5C088F8D8BD50F19D4CE92055CD0F52CF38DFD7B40B8B3A7E95FADCD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:55.991{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18AF079E862AA1D0AE3C472ED3AE4B1B,SHA256=C4C5097DECCAF5362C80C45120125B99F48A52092E609D4100FF3642745C7FF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:55.319{B81B27B7-880A-60DC-1000-00000000C701}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=EB4146B7A2BC920B838D523E08DA3C72,SHA256=94CE33261D5E9A32B393A949A5CBC26A062E3714A0EB9A664F90FE63DF54FEDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:56.841{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA704202CB023BBB87FB1AD3FC5B1C1,SHA256=EDA27B6BFF66B033A92CF34D80ADA3E4750B669C50C5C9DEF3A8FA2B8FBBF95C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015898308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:55.408{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51884-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:57.007{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E9330590E2874FA9958E24607F5EDED,SHA256=7F32A638201A0F2A87F012F9E77D2F985B33317D405EA585E56AB107238E03E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:58.888{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=829B6AF49A8D5A5D2EB9D6E3B125BD97,SHA256=1C8A9B613E9570FA650BCD846AD0F1B5F58DF2A48AD8A06E2843C546EA46E590,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007986879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:56.337{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62139-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007986878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:58.201{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41AC086AC57117D9F01BCF9564B0607A,SHA256=F5B3B8BA5F7F057A652D4FB3F68EF215481462159CD721D8116D8E642DA433E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:58.038{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=263A47BF51C945E60B8AC6E119651C03,SHA256=232EC414A6006613E0A695F795ADE2C94AE3D5BBB4B534308570CEBDD081D667,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:03:59.576{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=401BB702FC0A4372F0E7CD7E2D5AE7A6,SHA256=574EBBB5F9723859D56FA833226F336C2B861916B46AEF18D98D82B856C8FEE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:03:59.069{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F456329A036130D7432431B9E92D510A,SHA256=49CEB224674480C44788B7D0B71A6E2E61522ED357CC8DDB65D8B0C165D92022,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:00.935{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC309CB4779AF9F0FD9F1E1A9DDB8167,SHA256=1A869A113414D795C38A5CAB76547D414FF4EE6CD14A3190221CAE2DD0F96779,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:00.069{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49F887BB53D9580EFF6F876E9A7074B3,SHA256=B1B8C066553FF1625D4984FB507D6B3F7EF7CE5371805269CBB93898E9AE3F75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:01.100{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7CA35D5D2E7F659132ED835AB393A4E,SHA256=AE52E4C137FAA1DD672CCAB5AC9697B694B3B29DE4707A528F0D14C6C6022266,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:02.310{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=228A85480BA8CE62B387BDD041BBE64C,SHA256=70AC67DE4645AC15A4685A8C6DFD79F31217BECBBEDA3AE0AC9636B1D0E99E7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:02.100{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23E470C36ABBF7A32128C2819A1A5A0C,SHA256=60E4E86CA363FDCA10BFF2D0904FAEA40087BC4D38761EC1AE0E05EFD5A1EAD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007986884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:01.368{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62140-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000015898315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:00.455{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51885-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:03.116{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FFF945F4FA9D0399B49A51F8F7D6F7B,SHA256=CF958D2E525723A49BCCDCE0426E7D89A9470AD6AEF050472BA5C683EE9E199B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:04.131{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF261F040D479EF14123EE8CA297CCC3,SHA256=E8A9F43C4F2F994ECEAE31D923BD98B9F9442CE6E733CE3C83BC8DB07252F49D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:05.357{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE8A7D8A307562FFCDA037496647522,SHA256=B9AE403822A16AE428C1121E377E557BC90387CDFF21F9DBC4E1B6A985B44D7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:05.131{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5069A48BA40BDC59F3EA21C4EEDB019F,SHA256=17112F94BB0B9D59A2D4BA7F0F6CC1F590A891C28C9A1B889326615289F3D1CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:06.748{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=106FB78B3FAB7C22394134D07C661760,SHA256=766A2D57160FE806CF89962C9711F32D64D51BF3A20D4896948F8610046E299A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007986886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:06.060{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A08B7B2A087813C4B8E442B6D2217A20,SHA256=55BFE7B4394AC74A959085D6A4A88901540C0D18033D2DEC4D0C0370B3BFB5E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:06.163{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F9382C3FB879AD5AA6BBE7EE16ADF7,SHA256=F36475BD403732998D7A5CD45353158C832E0760C12C2C9BDFF0A818DF498A7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:07.181{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=695FDEE16923021FEDC6E779D214277F,SHA256=67CF969F0B52100855551294FC80D7EC248E1355F63F7A61909E4370E3E1EBF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:08.112{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27DDC2C44ECF2B44BEFF360545B8B29A,SHA256=50A7BDD81FE124118E7472BD377E20637AB059B6A4BAE8CC854CD8931E451784,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015898321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:05.549{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51886-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:08.197{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A6FBD75D83DCC6B2F09E90F4868CCE3,SHA256=14E18FEFFD9019DF407D45C0372037A3F146E6F4B688A3192D40F6EE92BC680A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:09.471{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31AA742001707EF0D0A836CE6D885DDA,SHA256=11659F11530461E387C74FDFBB67CA55ACF0EDAF853AA76D13971AA99D79730F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007986890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:09.471{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F06FCD2A1EAEFD308D22C8807404E3,SHA256=696DCD6783834AE05F13CAA0FA6CC923FA94D23EE358608839F743163C5F6326,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007986889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:06.466{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62141-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:09.244{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ACD76CAED1C5A229AFE7D19A20793C2,SHA256=E264A629328E27A03C082958369786B9BDFA544565BC9F4A3891E6BAE44989EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:10.831{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C33580ADC2675C3EDD4547992F1BAE7,SHA256=8F1B771886AF44266195AAB6E1A23A41358FEBD1BB1CDAA307B26383EFF39DDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:10.259{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B525FFF0B48836D5610CBF6ADB8F92E,SHA256=4E6266A27D4CC52989B41595F7C4494B22673151F741AAD2245B2EB947800D4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:11.259{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D7971CF04A3BB510A12428B94942F9A,SHA256=2F942A39DFD2DAD75E1F3570C8D0B835D2BAD8662D299476BCBB1C5BD74AC6DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:12.206{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBA710BDC231BCB7C16CC127F7D896FD,SHA256=E4B3DF90322DDFA5CE674F50FCC8EA46DF087B16626D282E2A7219DAD4B56984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898325Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:12.290{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7AB03D2CDD83BE89D8E5B87C841B927,SHA256=CC93D38371FDBFBE2015474C34A31811E5DAFD49739B18D6AE70905A5B2E76D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007986896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:10.732{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62142-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007986895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:10.732{3BF36828-DD1D-60DD-2F00-00000000C801}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62142-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x80000000000000007986894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:13.565{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61DB93A89D8DBFD3E5A021E685604DD3,SHA256=30372DDFFBF045653BE03E9DD2FBC7EDC4B303BE8C9648274A008D1A2CD9A0BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898326Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:13.306{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D85622973EF73739EA7C4E89B9CF9926,SHA256=D2B9DF4DD7AD99FE8E8B50B8A8AC43E1EE140A74AF8AF397A20B3B6A153D230C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007986898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:14.940{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7261A677EB28699B998EE5A396F4D56,SHA256=68E27FDB902C08977AFF650DFD0F43DBFFE9CB7455D925C1AFB6AD92C376AAC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007986897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:12.451{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62143-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000015898328Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:11.333{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51887-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898327Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:14.322{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FA552EBF7041F940CAA1C87B3C6E04F,SHA256=2BE16B2CC83881A11EA5E76B8DB03BFE1CE68AAF1346753D6B54B683A34BCF35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898329Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:15.368{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38006D5BFCFC67CF3B97C46D4C547656,SHA256=C88601F81B4166BECA94B55A9DB88E55B389CCB5B3A091A1B0A5A3F21A0A4D00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007986983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007986982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007986981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007986980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007986979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007986978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007986977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007986976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007986975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007986974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007986973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007986972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007986970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007986969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007986968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x80000000000000007986965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007986957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007986956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.989{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007986955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.424{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007986954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.424{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007986953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.424{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007986952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.315{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007986951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.315{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007986950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.315{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007986949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.315{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007986948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.315{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007986947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.315{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007986946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.315{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007986945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.315{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007986944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007986943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007986942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007986941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007986940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007986939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007986938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007986937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007986936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007986935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007986934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007986933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007986932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007986931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007986930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007986929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007986928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007986927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007986926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007986925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007986924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007986923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007986922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007986921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007986920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000007986919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007986918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007986917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007986916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007986914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007986913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007986909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007986908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x80000000000000007986907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007986902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007986901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007986900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.301{3BF36828-E780-60DD-D101-00000000C801}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007986899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.299{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71B6BA53934D66691C1C3498DB737CCA,SHA256=A4BA241817E34D41A07441C5279896A12C106A82DEACB33548B69AA2005833E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898330Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:16.384{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18D7C9FF76B93CBCB2AB72E25A050089,SHA256=FE8E45BF49E752077827D91FB083F5760E6D8F87B56CB8461BD734356C2C1C9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:17.674{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6904E604EC2198552C245C1EF9F82178,SHA256=BE43C4906A1B4DCBF675A63B13712DB20A207825C5D5D73B0FE6C864DDD556C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007987011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:17.112{3BF36828-E780-60DD-D201-00000000C801}36722940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:17.112{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007987009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:17.112{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007987008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:17.003{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007987007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:17.003{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007987006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:17.003{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007987005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:17.003{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007987004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:17.003{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007987003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:17.003{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007987002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:17.003{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007987001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:17.003{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007987000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:17.003{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007986999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007986998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007986997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007986996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007986995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007986994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007986993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007986992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007986991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007986990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007986989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007986988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007986987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007986986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007986985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007986984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:16.987{3BF36828-E780-60DD-D201-00000000C801}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 23542300x800000000000000015898331Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:17.400{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F509A1C56EB4E1A1672BE3FBD47092CB,SHA256=7DDE2252D7D4650357AFBE1A124FAA6BB632A8F451BD57E48014EC51EBC4F882,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:18.346{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64623235A32AABCB429315250D0D9F9A,SHA256=D66717741DED600D6DBE8CA55C2279130649EA8F8491D53AA520279909A1F142,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015898333Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:16.426{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51888-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898332Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:18.415{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13C128270BD0E3EE40C252A8AE5EE24F,SHA256=D02E6934DE12683820150875CA1A2AB57EB4DF1142796365BEAF130400E5AC22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:19.034{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C62D21F58D83601FB77170013F5953B,SHA256=9F17D1759AC3C43E7AE093CBBDD8865981E4CDB4FC8F3E41E617F8F323909613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007987014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:19.034{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3378700F92107436707F6FA6664A71F9,SHA256=6CC70B2E603228A1F28033B5F7321F629CF7247DFA4436DACDFA4B048309E56A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898334Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:19.478{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C87F8D5A9DB0C68CB073FDF33EC34C20,SHA256=0CF0403BDE0CAAB20288CA756DFD5495714D3E8381D4C874D8C77BAF76FCD8CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:20.846{3BF36828-DD1D-60DD-3000-00000000C801}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007987017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:18.341{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62144-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007987016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:20.471{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEDC2BE3EF5AA5D904F44AE0DD2D5F74,SHA256=97DB0E3B9B00369E54FC0AD9F1732D12C063482B39EB593128A01A3E19D9C7BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898335Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:20.493{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87BAAE15259DE9E7CC5A26EBD8ABA7F0,SHA256=8F18966A2EFBAF8F4418A5F86AD93226647F4A8DB401F5B47496A632EBD801E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007987076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.909{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007987075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.909{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007987074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.909{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007987073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.909{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007987072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.909{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007987071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.909{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007987070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.909{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007987069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.909{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007987068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007987067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007987066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007987065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007987064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007987063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007987062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007987061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007987060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007987059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007987058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007987057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007987056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007987055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007987054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007987053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007987052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007987051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007987050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007987049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007987048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007987047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007987046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007987045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007987044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007987043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007987042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007987041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007987040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007987039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007987038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007987037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x80000000000000007987036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007987034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007987033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007987032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x80000000000000007987028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007987021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007987020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.896{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007987019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:21.893{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=714D5159AB52CC969425FC6BF68A5B0A,SHA256=9A8D265A1C8CF30529B543BCB9EE471F67560882FC8CC8AEA23A596A7CC6116A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898336Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:21.509{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79730017BE5767AA5A408E96FE95E948,SHA256=047E2E5202719F7256F14A9917D335206AD03A4B66B58D60E9268378CFCE62FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007987081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:20.060{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62145-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000007987080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:22.581{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEAAEB591F495F7A8CF24D2B268A5E26,SHA256=0F3D0CC404A38F601537E60F4BA5941B91CB9EC879AAAA44B632E7A49D214D5F,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007987079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:22.018{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007987078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:22.018{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007987077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:22.018{3BF36828-E785-60DD-D301-00000000C801}4624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000015898337Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:22.540{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF3DEF9664FB52274B37AAAE2B68E819,SHA256=1BEB0790DC6DF2283287D1D435D3D75848624B8DEC2C9F64EF1E0D8699496AB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007987134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.971{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007987133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.971{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007987132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.971{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007987131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.971{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007987130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.971{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007987129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.971{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007987128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.971{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007987127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.971{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007987126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007987125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007987124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007987123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007987122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007987121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007987120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007987119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007987118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007987117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007987116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007987115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007987114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007987113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007987112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007987111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007987110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007987109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007987108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007987107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007987106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007987105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007987104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007987103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007987102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007987101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007987100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007987099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007987097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007987096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007987095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007987092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007987084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.956{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007987083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.957{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007987082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.268{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2750F86233E680176BCBC8B4684108DA,SHA256=4C1B47B23B6700B623C5E80AD52370677A92B964BA0742AB2B89B470803F0264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898338Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:23.556{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A38D7170CB46B83F27E788BB564B9A2,SHA256=24924EAE6D32C42D7B76457C4E2035592CF8AA72CC3B17DF4D83CFD2595B2906,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007987196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.768{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007987195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.768{3BF36828-E788-60DD-D501-00000000C801}25801396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.753{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007987193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.753{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007987192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.659{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007987191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.659{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007987190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.659{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007987189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.659{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007987188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.659{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007987187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.659{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007987186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.659{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007987185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.659{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x80000000000000007987184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113CCDC0FA2DEB70B2F97C6D4D48E4BB,SHA256=0ACF0C26613D2A19F2B9A1D13740473BBEFB87C0F9210AB808C737CB095A3E43,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007987183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007987182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007987181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007987180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007987179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007987178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007987177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007987176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007987175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007987174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007987173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007987172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007987171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007987170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007987169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007987168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007987167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007987166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007987165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007987164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007987163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007987162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007987161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007987160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007987159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007987158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007987157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007987156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007987155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007987153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007987152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007987149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x80000000000000007987146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007987140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.643{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007987139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.645{3BF36828-E788-60DD-D501-00000000C801}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007987138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.081{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007987137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.081{3BF36828-E787-60DD-D401-00000000C801}19921708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.081{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007987135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:24.081{3BF36828-E787-60DD-D401-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000015898340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:24.556{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DEF72A27A880D8BC252B6B28593330C,SHA256=BE956771B780001E3799B057C3439F7B6BE8BF13035D54285F847EF03A34CD40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898339Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:21.505{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51889-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007987253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:23.404{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62146-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000007987252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.518{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007987251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.503{3BF36828-E789-60DD-D601-00000000C801}14121220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.503{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007987249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.503{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007987248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.409{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007987247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.409{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007987246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.409{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007987245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.409{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007987244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.409{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007987243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.409{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007987242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.409{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007987241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.409{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007987240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007987239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007987238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007987237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007987236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007987235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007987234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007987233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007987232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007987231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007987230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007987229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007987228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007987227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007987226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007987225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007987224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007987223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007987222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007987221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007987220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007987219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007987218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007987217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007987216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007987215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007987214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007987213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007987211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007987210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007987207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007987204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007987198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.393{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007987197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:25.396{3BF36828-E789-60DD-D601-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015898341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:25.587{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BE8BD3AAE64F5A9A88424CFAE536E68,SHA256=710BAED28A9D26D68E490BCDEECE9340D924C8939145F85BC1056D91CFBCD61F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.768{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E60007D02DDAF8973444D5EBD4BEE0E,SHA256=858989EF02FBA887CD3F897897EB45B03E57C52C0A366EA5026640FFF76116A5,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007987310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.221{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007987309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.221{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007987308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.221{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007987307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.112{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007987306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.112{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007987305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.112{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007987304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.112{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007987303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.112{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007987302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.112{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007987301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.112{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x80000000000000007987300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1026D2E3CD39C13F09959DA4CF733937,SHA256=261E44E660556F1634423FF84B85F78868F5E6E359C40E639A473384B459E870,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007987299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007987298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007987297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007987296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007987295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007987294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007987293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007987292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000007987291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007987290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007987289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007987288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007987287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007987286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007987285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007987284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007987283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007987282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007987281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007987280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007987279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007987278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007987277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007987276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007987275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007987274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007987273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007987272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007987271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007987270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007987268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007987267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007987265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x80000000000000007987261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007987255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.096{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007987254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:26.098{3BF36828-E78A-60DD-D701-00000000C801}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015898342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:26.603{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED1D8F2EDAA8747EACAB42D35862657F,SHA256=772F6C190F16FCAF7FB6F25F51C5A5E7CE514E3CE3AF46A14609513D14C84131,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:27.519{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB5A4DF44A45DB7AB414188DB4C7736E,SHA256=7D5FD324459F385BB1F70F801C8CBFC1DA4E7F7E6E47D5C2773C28CFBA37F447,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:27.603{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C2AFA72AD187C4A35AACC202BC946C,SHA256=9AEF9F2E61228DDF2E048AD81FADBC9FAEA60AC42562E14F14CB944E41342E46,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:28.956{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD8B95FFBF64AAB1498D8139A72874A,SHA256=574AE6B3BF2E61174AFD2ECD1A79308D1609EC0ED6770CCF5C244A68B7B42FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007987313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:28.206{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7385EC19B72645E13AE84B1F04FB0B27,SHA256=35A8936C503E55AECD7F1C771C540C56BB2B30F3AE7188452F0D560D3CA80F12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:28.618{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=756AAA12AD9E8E342389C07A736F3103,SHA256=375BE6D9AE00E97C4066EBDD93160DB2661B1EA05B01E05C98A31982D16BB8FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:28.368{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:29.618{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CC82A053FBF53D24BEFD64F285B1BD6,SHA256=1EC5E3EE4A4425A312CA601FBF482929EC5C68A6FC285C1EF20B091F29DB8E9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:30.456{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BF69FF937E0AFC7EDF7A9DEFF407CE6,SHA256=7D89E6C7D04F59809047D105AE60E780C3B9B559B36C561A2E0225348E91EB92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007987315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:30.456{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50702670FF253699E34E031C8AEB43CD,SHA256=98C4248BDC5BE8A1F0E727574794E3AEEE88B475956A8B6E74C3242CDB79A756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:30.634{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=789220D2B33FFC3413C561DE930664F2,SHA256=61653338420E58DBC8EE1A1B2F7B00D7D32F41E3F9115EC7B38A8E34DAF21A20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:27.661{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51891-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x800000000000000015898347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:27.349{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51890-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007987317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:31.831{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91E7B9ED7F7E73B3635F57973BECCC55,SHA256=81DF93A6747679319A54E481A6949C0B0FA65372387A3E85B56ACB85BE42E6B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:31.665{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB26FC3174ECE4CBACEA254CB908F87F,SHA256=8646AE63DB7B623721AD69F63391C4C46C3803FBD48D21BAE77311B32F16C191,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007987318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:29.435{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62147-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:32.697{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEF651133CDAB94926A069E86491B70E,SHA256=759A54ED52AD8CDEB869CD5A966873CB112B9337053ACE57B1260224F6734575,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:33.206{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=569E03E79F5F0210296804400B0D0110,SHA256=E4C2757417DB47F006ADAD9410323DA6EBBEC6061B582C1E4723B55BB3936A93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:33.712{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6573790FCFC2D7E6CD1D303EA4C0429E,SHA256=8079BD95FC47361D853F82A0E6DE4162826E830D942D74BC8EB3D092E9724CBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:34.743{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=470C8B0A53A3587436AD3276441BBE2D,SHA256=1023068D76EBDB13EF445061E2989D45EA4091BEE70CBB50B1CCCBC3B1B3684A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:35.925{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA237C7B7718B70D83FCDAEC4C78115,SHA256=90A3B1A797FF8FB50E633D1B01FF8BF8E7C72725ECA2CE0A08241A951818C591,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:35.759{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F679903B1F5E0D6CAC248840AB8173D,SHA256=7A22B3295D29766C95E683A702832AD8F28C0804B6584358711E000C0E3D7BE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:32.458{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51892-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007987321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:36.941{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86373BE23CDF8B66086A995113542B86,SHA256=A1DB1BFE16C8D69F7A0B762C243977B73A75523BC4668D7ED055031E83F76B7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:36.806{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C11FCDE01CF54D4935DAD1303AC57D5F,SHA256=910E63FFE4DB3568546FC71F992A4B80E389876D8FA3BF12126AD5E256AC2C3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007987322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:35.450{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62148-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:37.837{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A99A6A1398AAB9FE527C09CC0DEAD83,SHA256=9F1F67495A41375881DC41153863E99D5D944594B1AB72790DE9992233BF3674,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:38.706{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12F10A1CE3C11FAAEC30DDF3C2744022,SHA256=CDD6C99E3A9652D467DA4DB50B1F62B2CA91783D6AEF2D1020A6B9DF43B2BBC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:38.853{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98B1155E89D96AE02505A957BBC66915,SHA256=24864505C357BC30AAD6241171EBCEE500711B4B9C380390E66ADE64727F9502,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:39.868{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BF6DFE3E99BA80F348D29B90A460977,SHA256=DFE52D127D92961A7278CD967A26C029D955593D991D06DC8436796342F3604A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:40.081{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44359B38518E1C0DF7E992D683E5C39C,SHA256=D7487F052BE79CFC465409C82A2F8C1BE4252D6FA0CDB2D69C49999FB4FE827B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:40.868{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7428EAD0C38159957C5C5A3C69066D6,SHA256=B0E70FB3B9B80F2B7ECE6E14B9E4940BE3D4329CDF3553D2850DC642B8BACD4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:38.364{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51893-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007987326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:41.441{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63FE5F84C72E117BE893F010BE2EBCA8,SHA256=ED3288734C48BB3EC3F846FEBA9B0487162CC2E075BA4B0E223CD8702F365CF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007987325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:41.441{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9D79266B5D6B6CBA9F98807FCEE4EAA,SHA256=FC6FCC812B01D2662C97363C8C4F061D17CF62D7F12139330DE677505DB66988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:41.884{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35A2845735BAEE04BB2C1CC0781909F9,SHA256=72C87A1A7E7539DBBAD65FAA268480E8FCFD88C8283D5BC98B90CCD646281404,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:42.817{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E29F21B91DF98F1D336197537B9441F8,SHA256=C9925E630AAB9C5FB34948E381FA44CA80A73B14457B2BF264F3F19086221CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007987327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:42.347{3BF36828-DD0D-60DD-1200-00000000C801}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=ACC55A862CA0351424F3D9C5C2BDD3ED,SHA256=9D31E01AEA8744E0656AB9B4D9BC7885D9BEDD0A1A310A63B04BB1DAB19C81B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015898376Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:42.962{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E79A-60DD-162A-00000000C701}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898375Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:42.962{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898374Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:42.962{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898373Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:42.962{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:42.962{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:42.962{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:42.962{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:42.962{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:42.962{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:42.962{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:42.962{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E79A-60DD-162A-00000000C701}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:42.962{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E79A-60DD-162A-00000000C701}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:42.963{B81B27B7-E79A-60DD-162A-00000000C701}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015898363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:42.899{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C40ACE05D0729604981B7612005F468,SHA256=0D335A62B0F3C3D447929F6019E93B681277140D78868C1D5982796AB14FA5C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015898414Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:43.634{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E79B-60DD-172A-00000000C701}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898413Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:43.634{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898412Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:43.634{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898411Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:43.634{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898410Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:43.634{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898409Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:43.634{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898408Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:43.634{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898407Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:43.634{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898406Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:43.634{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898405Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:43.634{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898404Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:43.634{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E79B-60DD-172A-00000000C701}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898403Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:43.634{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E79B-60DD-172A-00000000C701}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898402Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:43.635{B81B27B7-E79B-60DD-172A-00000000C701}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000015898401Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:04:43.524{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000015898400Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:04:43.524{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\StaleAdapterDWORD (0x00000000) 13241300x800000000000000015898399Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:04:43.524{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\CompartmentIdDWORD (0x00000001) 13241300x800000000000000015898398Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:04:43.524{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\FlagsDWORD (0x00000002) 13241300x800000000000000015898397Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:04:43.524{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\TtlDWORD (0x000004b0) 13241300x800000000000000015898396Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:04:43.524{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\SentPriUpdateToIpBinary Data 13241300x800000000000000015898395Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:04:43.524{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\SentUpdateToIpBinary Data 13241300x800000000000000015898394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:04:43.524{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\DnsServersBinary Data 13241300x800000000000000015898393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:04:43.524{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\HostAddrsBinary Data 13241300x800000000000000015898392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:04:43.524{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\PrimaryDomainNameattackrange.local 13241300x800000000000000015898391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:04:43.524{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\AdapterDomainName(Empty) 13241300x800000000000000015898390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:04:43.524{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\Hostnamewin-host-987 13241300x800000000000000015898389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:04:43.524{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{ACF0E042-6EE8-44CF-93DA-B1C31E741B40}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000015898388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:04:43.524{B81B27B7-880A-60DC-1000-00000000C701}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x800000000000000015898387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:04:43.524{B81B27B7-880A-60DC-1000-00000000C701}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000015898386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:04:43.524{B81B27B7-880A-60DC-1000-00000000C701}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\AddressTypeDWORD (0x00000000) 13241300x800000000000000015898385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:04:43.524{B81B27B7-880A-60DC-1000-00000000C701}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\LeaseTerminatesTimeDWORD (0x60ddf5ab) 13241300x800000000000000015898384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:04:43.524{B81B27B7-880A-60DC-1000-00000000C701}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\T2DWORD (0x60ddf3e9) 13241300x800000000000000015898383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:04:43.524{B81B27B7-880A-60DC-1000-00000000C701}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\T1DWORD (0x60ddeea3) 13241300x800000000000000015898382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:04:43.524{B81B27B7-880A-60DC-1000-00000000C701}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\LeaseObtainedTimeDWORD (0x60dde79b) 13241300x800000000000000015898381Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:04:43.524{B81B27B7-880A-60DC-1000-00000000C701}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\LeaseDWORD (0x00000e10) 13241300x800000000000000015898380Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:04:43.524{B81B27B7-880A-60DC-1000-00000000C701}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\DhcpServer10.0.1.1 13241300x800000000000000015898379Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:04:43.524{B81B27B7-880A-60DC-1000-00000000C701}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\DhcpSubnetMask255.255.255.0 13241300x800000000000000015898378Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:04:43.524{B81B27B7-880A-60DC-1000-00000000C701}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\DhcpIPAddress10.0.1.15 13241300x800000000000000015898377Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:04:43.524{B81B27B7-880A-60DC-1000-00000000C701}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{acf0e042-6ee8-44cf-93da-b1c31e741b40}\DhcpInterfaceOptionsBinary Data 354300x80000000000000007987330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:41.216{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62149-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007987329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:44.173{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F563BE65DCF7F4DA5AC01BEA2A7F1702,SHA256=C5C53AB831725CB23C2B20FDA7FC0E07477C16248532926FF0C29B9E15D7D16C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015898436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:42.841{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-987.attackrange.local51191-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal53domain 354300x800000000000000015898435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:42.841{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c860:1c51:8bd:ffff-65016-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000015898434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:42.841{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c860:1c51:8bd:ffff-51191-truea00:10e:0:0:0:0:0:0ip-10-0-1-14.us-west-2.compute.internal53domain 354300x800000000000000015898433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:42.840{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:7073:809d:70b7:7bb9win-host-987.attackrange.local65016-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000015898432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:42.833{B81B27B7-880A-60DC-1000-00000000C701}980C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-987.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.us-west-2.compute.internal67bootps 10341000x800000000000000015898431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:44.463{B81B27B7-E79C-60DD-182A-00000000C701}5628904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:44.306{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E79C-60DD-182A-00000000C701}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:44.306{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:44.306{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:44.306{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:44.306{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:44.306{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:44.306{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:44.306{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:44.306{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:44.306{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:44.306{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E79C-60DD-182A-00000000C701}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:44.306{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E79C-60DD-182A-00000000C701}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:44.306{B81B27B7-E79C-60DD-182A-00000000C701}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015898417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:44.103{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1E2BFCB1FBF7335014F07726621C035,SHA256=CF32E22689FD865EF55CF6E45655114585B5DC79A50FF74F367E6FAD1FD1DCE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:44.103{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14A5FDC8A96BFC0EA88A3AB24AD4E760,SHA256=CFB21900833B735A44677E953F45BF49EE9BD775500E80D4398CF36BB5A2C9C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898415Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:44.103{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A367D267B9131C630EA4E4557E6CFAEE,SHA256=FB8C1769F4C6FCC6E05CA95B1BB3478CA0B957C0B93117FAD66A66D18B015627,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:45.551{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DE308868B8168705DBF17C36BF991E7,SHA256=92B892000791FCEB5C8701D194CA885DC694D687670326674603D7289847254A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007987332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:42.787{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15WIN-HOST-98750474- 354300x80000000000000007987331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:42.786{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15WIN-HOST-98751191- 354300x800000000000000015898439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:43.443{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51894-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:45.509{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1E2BFCB1FBF7335014F07726621C035,SHA256=CF32E22689FD865EF55CF6E45655114585B5DC79A50FF74F367E6FAD1FD1DCE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:45.212{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7DC1BB93C410E85143C255F7C61175,SHA256=A4184A0A36A04041F48671F8F355EDD70C0EAE699D9A453E4FA5A1564D3541D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:46.910{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B968FB6B77D410C88F621838DFBE2CCA,SHA256=36FEAA7D6BE72D7B78A59E74F2A2FFD0F89BCED472F78254E02E6971B54E608D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007987335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:44.029{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-128.attackrange.local62680-false10.0.0.2ip-10-0-0-2.us-west-2.compute.internal53domain 354300x80000000000000007987334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:44.029{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15WIN-HOST-98756938- 23542300x800000000000000015898440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:46.213{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32F112270AD3F2AFA7C65D272AC4DCE0,SHA256=D598A2041C6DBF8A83EB3536E05BB70EB23C8DB19CAC68DB93E8EF5381EA9B33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015898455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:47.497{B81B27B7-E79F-60DD-192A-00000000C701}60562444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:47.356{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E79F-60DD-192A-00000000C701}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:47.356{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:47.356{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:47.356{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:47.356{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:47.356{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:47.356{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:47.356{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:47.356{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:47.356{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:47.356{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E79F-60DD-192A-00000000C701}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:47.356{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E79F-60DD-192A-00000000C701}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:47.357{B81B27B7-E79F-60DD-192A-00000000C701}6056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015898441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:47.231{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D92BB564F2B85A66B1FBEA8842A35761,SHA256=0D8794817DEDC845CDE921D041DCD37FB21CCB3604A8455BC39540100D12B0BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:48.273{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9AF26F0BFC07D99D6F28748B282514F,SHA256=D7F69775A2C67A05CE343FF63D32F4516EDB483D36F0B35928AD6B2DA4D0FFD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015898484Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:48.700{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E7A0-60DD-1B2A-00000000C701}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:48.700{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:48.700{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:48.700{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:48.700{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:48.700{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898478Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:48.700{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898477Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:48.700{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898476Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:48.700{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898475Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:48.700{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898474Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:48.700{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E7A0-60DD-1B2A-00000000C701}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898473Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:48.700{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E7A0-60DD-1B2A-00000000C701}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898472Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:48.701{B81B27B7-E7A0-60DD-1B2A-00000000C701}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015898471Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:48.497{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6141F648145275DBB0592B8C639A673F,SHA256=778C81ED0D386560FF6F26935E22838291918F3A943671704C3B926D38D6ACD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898470Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:48.497{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E1D2241610EE29506DA4272A0A0CCA7,SHA256=93E6713C1BA9D5B8F084398D0BCC5375F2AFD4B481843A2C3A4D7EC9EF471AB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015898469Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:48.169{B81B27B7-E7A0-60DD-1A2A-00000000C701}38083796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898468Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:48.028{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E7A0-60DD-1A2A-00000000C701}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:48.028{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:48.028{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:48.028{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:48.028{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:48.028{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:48.028{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:48.028{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:48.028{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:48.028{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:48.028{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E7A0-60DD-1A2A-00000000C701}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:48.028{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E7A0-60DD-1A2A-00000000C701}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:48.029{B81B27B7-E7A0-60DD-1A2A-00000000C701}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007987339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:49.632{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D1143562FDD7780525B705E10DDEB7,SHA256=3025573D2AE9ACEE89F59B1DFBEF5228D0E5EDFF2181B2E7195DE9226F28D352,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007987338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:46.294{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62150-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898500Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:49.731{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A8B2FC9D11A4F3AD2D440C65D073470,SHA256=1AA6DD5F2FA9B5C5A4DCCF8540708E8C5E5883E63FECDD09D68C92516CEDD492,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898499Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:49.638{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDF589A149596D629AA8D814942F98E8,SHA256=0194516C6A4C27D2DB5D1E69739FF797984E3E3D49A0F1BFEC167CFB1852A3B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015898498Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:49.513{B81B27B7-E7A1-60DD-1C2A-00000000C701}50446116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898497Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:49.372{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E7A1-60DD-1C2A-00000000C701}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898496Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:49.372{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898495Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:49.372{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898494Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:49.372{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898493Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:49.372{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898492Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:49.372{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898491Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:49.372{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898490Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:49.372{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898489Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:49.372{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898488Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:49.372{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898487Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:49.372{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E7A1-60DD-1C2A-00000000C701}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898486Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:49.372{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E7A1-60DD-1C2A-00000000C701}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898485Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:49.373{B81B27B7-E7A1-60DD-1C2A-00000000C701}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007987340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:50.320{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF039A36B9E3D7A1BDAAE1A4BF666B8D,SHA256=F5016222BCAD66930500B0AAB36CFF7306685D05AB1209981C6D4F03EB463944,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015898502Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:48.493{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51895-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898501Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:50.513{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D533669CF5A28B141BA31795D5BC821,SHA256=1A8132E1B9CD2547A2020841327F5C742DCA7163BD7739346B577B9D81D5018B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:51.007{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B095AD31A1949959D242634C4B6B27FC,SHA256=B17C3FD742DA6425890AB391DBBE008FC2F4F0C8042E276E63C8D011756ACCDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898503Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:51.515{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0ACA82950F16F7B750C205D4C48665C,SHA256=6935DC26F004BBCF8FBA96F994B621E9FD01706CCD735035433C0E41588EA725,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:52.351{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79904583FEB10C6037FAEA8EF2DE8C0C,SHA256=E2688DA97C56C154CAA261A0081CE1CA42B449D6E14128D949DAC36E5C1488CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898504Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:52.517{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AEA3CE68DE12F62029C8F7CE8C5B67D,SHA256=4710083A5EB75FCA70C296AF5E6953F36029236AAD68B4D2D8A46161B7B6D268,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:53.726{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6E692A88C8252888E10D4F3D992F315,SHA256=F11B7C408A558CB588CE404F1405F87F399BDBCD383497D191CE70CB0D936EAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007987343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:51.360{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62151-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898505Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:53.517{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A33329AE6D528724B995E6A1D3A17545,SHA256=0F4D9FC4011CE9A26D047E3CE8DDDB37543A0482CCF67139B175FE464658EB65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015898507Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:54.892{B81B27B7-880A-60DC-0B00-00000000C701}640680C:\Windows\system32\lsass.exe{B81B27B7-8806-60DC-0100-00000000C701}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000015898506Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:54.595{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB977FFF2B9219EEA47BB68EDC2D2A93,SHA256=CB0469386A7754C28C31B13120536DD738DF0364FE7975D2618FFD44B9916E8A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:55.086{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6C56F14A858EA90AB8A00A233A95568,SHA256=DAA07C5BCE938C04A4DEF2FFF1DE6D82B925B2705243979E5D0D504193F67704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898509Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:55.595{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60EF9A55CE3C52587D651D7E617EC626,SHA256=83FB08634E25F56948EE9AFEA8BD08AC79B3A205708C4D36685C4C52E9D17D0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898508Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:55.329{B81B27B7-880A-60DC-1000-00000000C701}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B289DDBF7CD2F9A32666F75F9368CA24,SHA256=4F352B3A84B08F0572E307B4E7729F803B4AB1C881AC197DEB2C50EBEA34F52F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007987347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:54.147{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15WIN-HOST-98758866- 23542300x80000000000000007987346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:56.461{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2964F90C6823E29043B133AC90159D5,SHA256=F32CF7F418D966523B9EE4372CAABE59B2CDDAD9B697EF7AAC467CF8E153803B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898510Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:56.611{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B032B9FF5B5CCC5FC1147FFC5BFD8BFA,SHA256=D47A3C2409AD57E4B0F37DF76E0D048CE4428004C725B9FEE5A9D33CF0D14D89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:57.820{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF96844E7F693190B9968C7E0CA24468,SHA256=F9DE6012952D4AE693EEA9F7B37E23726738D96D86F847E42D372A9864388660,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007987348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:54.149{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98751896-false10.0.1.14win-dc-128.attackrange.local445microsoft-ds 23542300x800000000000000015898511Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:57.611{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBA1246985731AC531AC641E077AE898,SHA256=F8E4AF195C993CBE1BC54DEC0712FA804A8AF0C43C0865B6D30348787E4CB3F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007987350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:56.391{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62152-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898514Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:58.611{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBC3B98200F907F842B01B5743B3E370,SHA256=132EEC053E73CE8DA9B31B5902E383B383897AFD82A5A3C630DF9A61ECC4BA89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898513Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:54.403{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51897-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000015898512Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:54.203{B81B27B7-8806-60DC-0100-00000000C701}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51896-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal445microsoft-ds 23542300x80000000000000007987353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:59.867{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B807F62282CBF307CD3CB9E0CE57AF,SHA256=FEFDC4F4D4661A40A3AA42D501FAC0C91BE37EA4D4F9C7A98A29719E671862CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007987352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:59.179{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59F82395EDA26E8F534C72311F870CAC,SHA256=FD0644230AC277A5A6FD556FE7155F1ECAD5922D6EC877CF2B53FF00C23CC0F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007987351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:59.179{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20CBB3725042EEDE4081EB36B0B2BB02,SHA256=9F33E99B71DBB4024FF7C5FB83D453F725F4AADF48707C108A8E8DCB348D77D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898515Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:59.626{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C89473C45CB0F1D6B5F3B017594E00B,SHA256=3505A4B446D815EE3381D56D090078D531043033CBF35974EEF6B1587F0C695C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x80000000000000007987354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:05:00.039{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d76e92-0xd81724aa) 23542300x800000000000000015898516Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:00.673{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01CE5AE6982FE65AA31BC271AA2CC166,SHA256=B741ECBC3F9C10B274EC801783E240A6FBD683757D2C6F6AD94B082D0B0713D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007987358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:04:59.235{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-128.attackrange.local123ntpfalse169.254.169.123-123ntp 23542300x80000000000000007987357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:01.228{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=46ABE0E70FE77E9510FBC2A8963EFF99,SHA256=6EAB124E15F0D2413BD292021B46E79447F71E5BB921E952D49B9D691D7AE228,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007987356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:01.228{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7542DD96369C2FD324C55503C5E1E2F,SHA256=D651473CB394D0831B9113016DE7035F066C9E9C2C252D36986C7B82701EEA65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007987355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:01.228{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F4EB69BF94232740A606276F90864DD9,SHA256=309DD8921726C2EC8496138BA3084D9687CEC0670CB5BB64E699D8DDBA2EEC68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898517Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:01.689{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB327B34E819428A73B910CF5347553,SHA256=2D467BF1F932DDC03BA15BC83AF3F637CF17CAB61EAE4C8A981D0BA4319AEC87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:02.603{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83274ABE82266221554AA4673EFEDFE7,SHA256=CFD5C0E63B88521081E9510DE0DA0171B1D2C9EF62D7F5FF18348DF2F386D411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898519Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:02.704{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E9B431B509A3D1BD34BEF10F72D913,SHA256=65E7ABA85D61F4458F83102D8DC47D595D2CBC4B9026531CB676209E837D1E4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898518Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:04:59.466{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51898-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007987360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:03.978{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=430097A8BF6BBC1D6B9A5AF59EEB0470,SHA256=92EE6D73167DF7F9CBFD1511A0AB292C9C5C5775A1B363E11E18D5D42D82CD96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898520Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:03.767{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4A90005FC3DF5DFF44DBAD7898C7D9D,SHA256=F5A943F6921307F0409E47B8334CE02103BFC5AD1EB01560D27DA96945F8E4AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007987362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:02.424{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62153-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007987361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:00.973{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local52893- 23542300x800000000000000015898521Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:04.782{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=076033DA7E2035BA589F72D2A10B3C3F,SHA256=7C40C84B6A90A31DFBF0A787760C12CA70D5005F786C08AB5018BB778C8413E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898522Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:05.798{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CC8B22659004793C143D804E4F2C1FE,SHA256=2FA0D00AD2AE43B8B10944B2EE49614815CC0B0A8D5BE7B9E2C44CC13B2FDBC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:06.665{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60D3C0F2F91C491B3D02D7FB2B50FCC,SHA256=D7B76ACE6DA36455085C6F250A97E30579871D8CA60DAA1391DF4B65FCB53A7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898523Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:06.798{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92403AE9B5BCA4504ADF3584F5903338,SHA256=91A61AB327533EBE99908C0556E46839F5021BF4D62971FD5444B2F07727E0B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898525Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:07.815{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D992A2E193FE26C2799624F9FB21ECD,SHA256=9A23129664F5A7FE88EFD23C32CDE96CD2B713DECD5DB05268DC4C01A8AE59C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898524Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:04.529{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51899-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007987364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:08.154{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF153142A0B930CFC26F253667021FE,SHA256=7EADC1F4ED92BCDBFA3147FEF649AB2AEEDC5895EFAF8FA05F1438F3BD859B38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898526Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:08.815{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C4C75556997EEFA9FFD477A4328ED1,SHA256=07ECFFD61ABE3B9396A52080C49FB3366E56F275A43484BCA7A5E4197E826ED9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:09.591{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06FE0A94F79BC748C7852C52C660D0E2,SHA256=D5D5ED1AC819AB423E9770622BAA89D782AE5004802139AA59992B75E253D809,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898527Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:09.830{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E7A94525EF799AC218D4F638605F631,SHA256=7977BE2AF2DE7664193411A23294FC52E779B05F5C3CFCDE05CC86B8DF2DB731,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:10.951{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC36C291CDFBF829FC736A89D2FB6C00,SHA256=816ACDF73B519D250FC4C3EE1F7E9239ED778FDB2B2DFCCA9D5B31AD8572B52E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007987367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:10.263{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=505251122501AE177B7ADDA37DBEB1CA,SHA256=D579CA43BFC1737D4833935A8D807A3DF61773F9616E00D9D7503BE4F0A91925,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007987366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:07.444{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62154-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898528Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:10.846{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C42606573281C27A5DE2A52772B7ADA,SHA256=04A1E987D02C5C25885869450C4DC4497BCE51587BAA6879850C1B2A21D2243B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898530Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:11.846{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE0EC96B500B18EC4C57D85637D622B,SHA256=A0DC8501769EA63120306F92BDBF662B401782F078F2AF1ECDA54CD6D5BC60BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898529Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:09.561{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51900-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007987369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:12.310{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A085D31ACCB3E5631D722E6F78C7726,SHA256=675C685D9A6DCD6F66007DF1727E4B37A8C43D9CF00CD957DC53B75C28097A84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898531Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:12.862{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01EA752DD3ED988B3FADDD1A2058DAB9,SHA256=17DD75D7D755EAA9C98141981C80A5FB6C6BEBEA275DC6682F521320215C9E23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:13.685{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D4C830B7E9C44D4E4C53832FB1F1AD0,SHA256=C5AD2526E1A51674F723E22788BE49E607E0DA34552C2AF7EF8DE8397E697C83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007987371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:10.741{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62155-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007987370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:10.741{3BF36828-DD1D-60DD-2F00-00000000C801}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62155-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x800000000000000015898532Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:13.893{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4771427E6A3071602798EF5DF3BFDDB,SHA256=FA23AFB4C96555D826045EAC8E46EC46F587B1D96A5BEC8C7CC8077828A27C68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898533Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:14.971{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80D3AE9810B20A6E08838E2167F76DF9,SHA256=21863BAC9CA7EB733C35060C89A7B2D628083FD2D5E6690BC07C224C119B205A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007987374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:13.350{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62156-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007987373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:15.045{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40BD604BE662B57F25494E612A729CE3,SHA256=5C4E24BB4FEAE9AF0919EFCB53F1B415C73AFFDA2BC144CC0C897DCE37AD31BA,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007987431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.513{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007987430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.513{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007987429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.513{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007987428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.420{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007987427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.420{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007987426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.420{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007987425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.420{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007987424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.420{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007987423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.420{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007987422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.420{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007987421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007987420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007987419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007987418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007987417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007987416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007987415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007987414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007987413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007987412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007987411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007987410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007987409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007987408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007987407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007987406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007987405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007987404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007987403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007987402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007987401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007987400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007987399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007987398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007987397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007987396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007987395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007987394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 23542300x80000000000000007987393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=569DBF19B4D6261FF1350811CE8C12C3,SHA256=C2B27F54BF1789EB634B542BC588454960F25D3CE82840BAD19E1C19BA000CC2,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007987392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007987391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007987389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007987388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007987387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x80000000000000007987383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007987376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.404{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007987375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:16.405{3BF36828-E7BC-60DD-D801-00000000C801}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015898534Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:16.018{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=822EE081E25A16AF10A3148F63E18D3E,SHA256=42A4CB9BD738DE5B5DF723F95594F5B8A9D6CB34E431547C833AD8D95BD69101,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.779{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CEB6DA62BF6B3A072C7872282F43B2A,SHA256=156B4AE5262AB131E8437C9B1016495121BE322E39D1F470D8AE533B87924303,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007987487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.201{3BF36828-E7BD-60DD-D901-00000000C801}10843996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.201{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007987485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.201{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007987484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.107{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007987483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.107{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007987482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.107{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007987481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.107{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007987480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.107{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007987479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.107{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007987478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.107{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007987477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.107{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007987476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.107{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007987475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007987474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007987473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007987472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007987471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007987470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007987469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007987468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007987467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007987466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007987465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007987464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007987463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007987462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007987461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007987460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007987459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007987458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007987457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007987456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007987455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007987454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007987453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007987452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007987451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007987450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007987449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007987448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007987446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007987445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007987444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x80000000000000007987441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007987433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.092{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007987432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.093{3BF36828-E7BD-60DD-D901-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000015898536Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:15.373{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51901-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898535Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:17.065{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EA412B2A7AD807936C82879CD3BCB35,SHA256=51D72E0A956FAF4414FA56CA547E39A5366ED0D23621E218D9F448CC12553961,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:18.467{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=709717E3B3028C10716B592D15C535C1,SHA256=E9AA9238814F2B521AB9EFC0FCBDD88EE0B6601AE50C0BAE7E968524102677ED,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000007987491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:05:18.279{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\D370F6FF-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_D370F6FF-0000-0000-0000-100000000000.XML 13241300x80000000000000007987490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:05:18.279{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CA735696-6C26-4910-BF98-1B50C97DCBCC\Config SourceDWORD (0x00000001) 13241300x80000000000000007987489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:05:18.279{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CA735696-6C26-4910-BF98-1B50C97DCBCC\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_CA735696-6C26-4910-BF98-1B50C97DCBCC.XML 23542300x800000000000000015898537Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:18.080{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47BA17212B8A4F619889064599DE1618,SHA256=51AC4BF54F7E98B821F9A528B3CC333A4E1BBA64ACFA9C5D1B65BF2FCE16D835,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:19.826{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AC6F40A78095B8849B2815B7D9A5CB5,SHA256=8D154B0D294E49AE7B7C22C970ECAFCD82CD25E5696C1C8FF8066C646608DDD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007987499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.508{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62159-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000007987498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.508{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62159-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000007987497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.503{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62158-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000007987496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.503{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62158-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000007987495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.491{3BF36828-DD0D-60DD-0D00-00000000C801}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62157-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 354300x80000000000000007987494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:17.491{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62157-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 23542300x80000000000000007987493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:19.154{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA3CEA703B7EC34758D369420F000A46,SHA256=C752239BF5277ED168640F3F2CF0ED72A02985853632D7CCD385ED87D88F6101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898538Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:19.111{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F299459F4DEB36E90E251C50C1F3CB6,SHA256=F3A3DFBDC6BD1F23E1DE25A6890B5147DE63A700FDDEBA730806CDF7FA6AC047,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:20.873{3BF36828-DD1D-60DD-3000-00000000C801}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007987501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:20.576{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E208CA3D94769596856274995A624FF,SHA256=61BFB098607BD9F4FE3D09A4EF659057488D4881DC2403CFBF3FCDEDD8E833C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898539Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:20.112{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3AA772AC35337A2B1EF131501F6708E,SHA256=173AA44FEA45FD1FCE07098D5B4C075CB09E163EF4F1DAF845F01DCD59B88615,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007987503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:19.381{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62160-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898540Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:21.127{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D1B74A9DDD97ACEE98AD664F60E1297,SHA256=98BF375F6398384B052CB232F129720A3D895D3F800B84A49ABFB0F66198DF9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007987566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:20.068{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62161-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000007987565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.701{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE2F32FF5C36F353772ACF2B7465DEB,SHA256=DECD1230B8F23BA83A22AEE01FF5627C0FAFBDE08AA9CAD4BDF4EA86AA0F9CEC,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007987564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.139{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007987563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.139{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007987562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.139{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007987561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.029{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007987560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.029{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007987559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.029{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007987558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.029{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007987557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.029{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007987556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.029{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007987555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.029{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007987554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.029{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007987553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007987552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007987551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007987550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007987549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007987548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007987547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007987546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007987545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007987544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007987543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007987542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007987541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007987540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007987539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007987538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007987537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007987536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007987535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007987534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007987533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007987532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007987531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007987530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007987529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007987528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007987527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007987526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007987525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007987524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007987523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007987522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x80000000000000007987521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007987519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007987518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007987517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x80000000000000007987514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007987506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007987505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.014{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE20BA66F97D7431BEDE9D3B4CF4FAFA,SHA256=B1E7CAA06DDF480D992C6ED2626804DDDDE78F4EA56ECA65AB42B25D2D92CFF1,IMPHASH=00000000000000000000000000000000falsetrue 154100x80000000000000007987504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.016{3BF36828-E7C2-60DD-DA01-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000015898542Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:20.514{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51902-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898541Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:22.205{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=959DCDC4CF16F8DFA83C8F70967E6560,SHA256=648EB133FFEE1F06437CE264D0B5BB0E6C588991B154E75EC695CCF59AE1F162,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:23.404{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA635E4B817984BC1039B42A3A9FEC82,SHA256=602110CD18FF80DD86ACDC3DCB6678EDECFE469753ED7256961555C5AEBB7986,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007987585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:23.217{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:23.217{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:23.217{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:23.217{3BF36828-DD0B-60DD-0B00-00000000C801}652860C:\Windows\system32\lsass.exe{3BF36828-DCF0-60DD-0100-00000000C801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000007987581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:23.107{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:23.107{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:23.107{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:23.107{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:23.107{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:23.107{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:23.107{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:23.107{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:23.107{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:23.107{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:23.107{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:23.107{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:23.107{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:23.107{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:23.107{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015898543Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:23.221{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1553E94363FDE152731C1A4D7480C2C8,SHA256=280F5DC5853163C5A686625CE463FDAC93CF403F35041F24C77121C5584E7389,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007987704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.904{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007987703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.904{3BF36828-E7C4-60DD-DC01-00000000C801}45043960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.904{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007987701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.889{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007987700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.795{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007987699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.795{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007987698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.795{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007987697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.795{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007987696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.795{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007987695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.795{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007987694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.795{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007987693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.795{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007987692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007987691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007987690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007987689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007987688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 23542300x80000000000000007987687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30342ED49C82F6C25675D488BB7D9AB9,SHA256=B4F0ABCD4CD00153486D703BCCAE8915C3AA87B0B53299309FD534FAE7AF1655,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007987686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007987685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007987684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007987683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007987682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007987681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007987680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007987679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007987678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007987677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007987676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007987675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007987674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007987673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007987672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007987671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007987670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007987669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007987668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007987667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007987666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007987665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007987664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007987662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007987661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007987659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007987656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007987649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.779{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007987648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.781{3BF36828-E7C4-60DD-DC01-00000000C801}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007987647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.329{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-128.attackrange.local62163-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x80000000000000007987646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.329{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62163-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x80000000000000007987645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.322{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62162-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000007987644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.322{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62162-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 734700x80000000000000007987643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.185{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007987642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.185{3BF36828-E7C4-60DD-DB01-00000000C801}44204356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.185{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007987640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.185{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007987639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.092{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007987638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.092{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007987637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.092{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007987636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.092{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007987635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.092{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007987634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.092{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007987633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.092{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007987632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.092{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007987631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007987630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007987629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007987628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007987627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007987626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007987625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007987624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007987623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007987622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007987621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007987620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007987619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007987618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007987617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 23542300x80000000000000007987616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B2ED56F02ED3EFBC4E137765D4F1092,SHA256=6EEF1357A5815742E1424C467376482B4473DEA0BECA4EBD66C59AF107CC7634,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007987615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007987614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007987613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007987612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007987611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007987610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007987609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007987608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007987607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007987606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007987605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007987604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007987603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007987601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007987600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007987599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007987597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007987588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.076{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007987587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:24.078{3BF36828-E7C4-60DD-DB01-00000000C801}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015898544Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:24.252{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D26343579DB04612C8EDC235751F75F,SHA256=C71183613DF947D83FC1F97DBF5E37CFB0F7EB648DE300CF02AF31A6590F75DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007987762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.654{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007987761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.654{3BF36828-E7C5-60DD-DD01-00000000C801}3321492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.639{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007987759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.639{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007987758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.545{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007987757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.545{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007987756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.545{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007987755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.545{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007987754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.545{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007987753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.545{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007987752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.545{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007987751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x80000000000000007987750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2ABD2E42FED807749D6DB6595D16760,SHA256=80C6F6593DACA1E15B817166F595D23452FCC22867B3605CD6DF19C2A07E837E,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007987749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007987748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007987747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007987746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007987745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007987744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007987743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007987742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007987741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007987740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007987739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007987738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007987737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007987736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007987735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007987734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007987733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007987732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007987731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007987730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007987729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007987728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007987727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007987726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007987725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007987724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007987723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007987722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007987721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007987719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007987718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007987716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x80000000000000007987713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007987706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.529{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007987705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.531{3BF36828-E7C5-60DD-DD01-00000000C801}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015898545Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:25.283{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3237CBAA363FAD788726D5364C6D7F7,SHA256=5B493F739F611193334D2CCA4214E52474F2933D30D97B82EF9D8863B1745FBF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.920{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0642E7B2C1E58C2EDCB8566039BCBA95,SHA256=6ACE7CC06FB36050B021A65A8FCC6917C5DBD98EE9EC321836BBD055CC4D1F70,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007987821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.342{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007987820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.342{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007987819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.342{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007987818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.232{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007987817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.232{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007987816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.232{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007987815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.232{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007987814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.232{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007987813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.232{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007987812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.232{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007987811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007987810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007987809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007987808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007987807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007987806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000007987805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007987804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007987803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007987802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007987801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007987800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007987799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007987798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007987797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007987796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007987795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007987794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007987793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007987792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007987791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 23542300x80000000000000007987790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B36223873943C6A9BC3FF7FF75581B1,SHA256=95F8C00909EE92FBC62BC435EBFF2826794347E1B3530ADA1363E86A4B749144,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007987789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007987788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007987787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007987786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007987785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007987784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007987783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007987782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007987781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007987779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007987778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007987775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x80000000000000007987772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007987766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.217{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007987765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:26.220{3BF36828-E7C6-60DD-DE01-00000000C801}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007987764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.432{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62164-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x80000000000000007987763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:22.432{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62164-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 23542300x800000000000000015898546Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:26.299{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C64B70898E832663061F5FFFDA6B1DC,SHA256=28CBF7DE8CA916B24D132718649314062BFB6638F0762EBFF7FCAB9D236997DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007987823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:25.396{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62165-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898547Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:27.315{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC82AFCF884F2426DB4A42F1CBA9147B,SHA256=A221A8F771DF6394B68DDBC7C32B10612E4BB31B14D166BDDB7B1A85343991BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:28.436{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70C5FB2A37A1E293AD2773013BAEAC4,SHA256=4F0142B870B09DFDDF1D04BDDFBA0C8F56AEF9F3AD3481EDD884C2C9BF838E14,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015898550Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:26.545{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51903-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898549Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:28.393{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898548Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:28.315{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23D8774C5BA0E426FB3E00CEB5DDDB91,SHA256=7AC8D0E442E1894AC0BD9D0275CFCCEB70A5D108EC58AD787EAD314C143BBE75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:29.186{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1952D03F18007FDF4EA3456FC642B8D,SHA256=1A863AF604EC511785DBCF6E5674C814CB4A4A1AE9543E18ED17BB2A87ADADB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898551Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:29.362{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919A356D880A8C31347AADB3928BD6CE,SHA256=C5341AB099B09EF6536236E72E7698655A8DE6DAAF02FF7E59CEBE3F608C3E09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:30.623{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CDA569A057AFC5658EF5DE5CB99EFBB,SHA256=EC2E678F4D9BAE176ACD40C4196237CFAC9E89CE3BEDAF7B1C5D678E6928A731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007987826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:30.623{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA6DF5EC3483E505FF130A1006A6C6A,SHA256=A255C5E199D898BF3C50BC5879A58BC4DC00114CEC09FF947CE6D28897C45438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898553Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:30.377{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08FBAA1D1692648F148176C835A03665,SHA256=ACA280D2988E64C10403CB4A59FEE50EA6106C1E70607D9FD972F3FAEF109A68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898552Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:27.688{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51904-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015898554Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:31.408{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A671C143B5A61AAB01E7A76E8FE7A64,SHA256=55F4B0F200C815898D30F1C8172F7A0EBC8C18B1E29B8BE561661B7B440324AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:31.998{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17CF93706575B196A26AD0111347C5FA,SHA256=58C7A1A0AADCD53B051852E13E5E21349640B5C9AF4AE08BF749F0EB8FD929BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:32.424{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9425CFFD62B542644B82525E131A8F5B,SHA256=274F4FF436E3CEDE6FE28830DDE529D2D8674DE2FD6D75DE7D8A0A4954067126,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:33.373{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DC36B0AA483A24D30A447449EBFD1CE,SHA256=8D5C790D5515CC67C35C0CC8AF36368C074D0EC3899F2116C723AFBAC12430AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007987829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:30.396{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62166-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:33.455{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFA3EA2045F5B65521BDC50194D1B68A,SHA256=B680AE2749DA828488641F865A958C56A86BA1970F848E88D05DFE9C1DCFA201,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:34.748{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB7F0E722B8C6108E2848B73FD601543,SHA256=38E37500A2DD3C992324A84A9788E7F670133770886DF13F1C9A7A3097D4C5F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:34.487{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CD78404960A5F94BF93DE793B510870,SHA256=C3C9A7711C897AAEB44ACAC9FEA93C8AC15E49F374B137919FC080561EBDC676,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:32.327{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51905-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:35.502{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C75EEB46D170B745E8A586E145F29E,SHA256=31F7CA354DFF05F3B612EAB2450F0781971F06C0DCC40EE808E5DB9810CE85CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:36.518{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0CE98C8201B8BAA9E4EA5F70F5B9333,SHA256=F21A9DE4671DA2DD5E7441DDA84A973294D1FFD3F93F22B341C8602B58519687,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:37.451{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18CBFC3F1958287BF96EB3D1A2E0FF5E,SHA256=71E5F05400746DC04EB21AF57E2AE09A19E9E8AD779BF74B3DD33000F3F5FF01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:37.580{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=864AB5DCCEB994280EE08224E929C34E,SHA256=D5E04C37A5CC48BA02D22F1C1135DFD4F92CA08C7A2C5967D73869442FACC9D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007987833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:36.381{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62167-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:38.596{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1A4BBDEA2C89D25A339EE9A5328B278,SHA256=D008650C5504E814C29A9BF259CB37593E010F1E58EED20D43FDAAEE07BC8E33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:39.827{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D1813DB83AF5C4CDA4579C1CA3E24C,SHA256=09253C026C84D052CD5E808F0A64D526C40F642FAADD904B333F6DAE9AA096E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007987834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:39.483{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B5AF996993BD9C2650567DEE73423BB,SHA256=EA8F13709378F223EA650DC6E3C5E71A82ACE6C5312F39EAFB712A7A9ECA5286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:39.612{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23117C8AFAFA5F41E004941B6DCCABDB,SHA256=1F11E1D6549174F06151AFDBB2C9CBC042F4CC5A47840BFD2FAFF31A941ABA9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:37.407{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51906-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000015898592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:40.127{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:40.127{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:40.127{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:40.127{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:40.127{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:40.127{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:40.127{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:40.127{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:40.127{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:40.127{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:40.127{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:40.127{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:40.127{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:40.127{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:40.127{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:40.127{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:40.127{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:40.127{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:40.127{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:40.127{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:40.127{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:40.127{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:40.127{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:40.127{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:40.127{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:40.127{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:40.127{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:40.127{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007987837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:41.936{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=213B69A1FF71024F2875643EB03B7496,SHA256=7DD7950059941DE7F3781E0E781C3CD896AF56C00581547B3803FA5E8133026A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007987836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:41.248{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=259546F397E156C53B27A99D1B6BD1AF,SHA256=1A65E72FADD1C34E769EA401B3829E906712866E4D4BB734A76DC92805E3870D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:41.080{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2339E3A005A220840BA54651C529DA37,SHA256=DCC617D0F6F2B10D134255FC0DAF7279A79AFC041506C8B872B37BC7F94E4A07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:42.623{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59775727ED3CC1EDC5CE02A87B7454AA,SHA256=71CF1C9ED16E94B9AE736BFF3A4B98FF397E300194EE5E1EEDD847664E5669F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007987838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:42.358{3BF36828-DD0D-60DD-1200-00000000C801}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=555E83517D405913FEB4157AE145D39A,SHA256=57E23DCE57728927FA101F06F0D2B814EBD74D1D8499FBC7CA6833D94FB0FA5F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015898607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:42.955{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E7D6-60DD-1D2A-00000000C701}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:42.955{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:42.955{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:42.955{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:42.955{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:42.955{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:42.955{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:42.955{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:42.955{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:42.955{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:42.955{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E7D6-60DD-1D2A-00000000C701}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:42.955{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E7D6-60DD-1D2A-00000000C701}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:42.956{B81B27B7-E7D6-60DD-1D2A-00000000C701}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015898594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:42.143{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7E8ADEC72393B5657D24CE79F650F20,SHA256=F1AE50CE48A7C7A5A6855986CB8853DF38A191B761A699AFC02A1ADF30324A8B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:43.983{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A52AA9589D965BB711344013FA40EC6,SHA256=C1D670CE099F7A7D102AE27829677FF0697A3B6327A27298C3C915273E01D4E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007987841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:41.396{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62168-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000007987840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:43.202{3BF36828-DD0D-60DD-0D00-00000000C801}9243600C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898637Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:43.986{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E7D7-60DD-1F2A-00000000C701}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898636Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:43.986{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898635Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:43.986{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898634Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:43.986{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898633Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:43.986{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898632Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:43.986{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898631Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:43.986{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898630Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:43.986{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898629Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:43.986{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898628Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:43.986{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898627Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:43.986{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E7D7-60DD-1F2A-00000000C701}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898626Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:43.986{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E7D7-60DD-1F2A-00000000C701}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898625Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:43.987{B81B27B7-E7D7-60DD-1F2A-00000000C701}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015898624Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:43.971{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA77278F81EC725052E86E900B01397F,SHA256=4A396FE130F761749FE0AEF2EBB80C614AAD28E4059E38B0ACAF6FD99F4B4E30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898623Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:43.971{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BDB3F3406F5498B750FE8F2D5E139D7,SHA256=602F41B75D798132F9C23119038CCCA88D84CE5A769D5B26E19376BBC3F6E42A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015898622Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:43.612{B81B27B7-E7D7-60DD-1E2A-00000000C701}50161844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898621Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:43.471{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E7D7-60DD-1E2A-00000000C701}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898620Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:43.471{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898619Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:43.471{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898618Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:43.471{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898617Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:43.471{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898616Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:43.471{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898615Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:43.471{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898614Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:43.471{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898613Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:43.471{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898612Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:43.471{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898611Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:43.471{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E7D7-60DD-1E2A-00000000C701}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898610Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:43.471{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E7D7-60DD-1E2A-00000000C701}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:43.472{B81B27B7-E7D7-60DD-1E2A-00000000C701}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015898608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:43.158{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=089B4F68AA65F4E067553B4C4F450F34,SHA256=23351534D92FF2529BB312018E479EC5DB8762FEB6483BC2B4FDE31ECAE0F980,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898640Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:44.986{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA77278F81EC725052E86E900B01397F,SHA256=4A396FE130F761749FE0AEF2EBB80C614AAD28E4059E38B0ACAF6FD99F4B4E30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898639Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:42.420{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51907-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898638Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:44.283{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A4C099FABC33265FF39F17FFB4D5D17,SHA256=1373F28762494AFF057D061BA6390611B63E7EADE6947F8533F9BAFB09CD2493,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:45.356{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFB5D682EBABE23E3BB5DEA04C729477,SHA256=A3AB641C3BC2D9D6D5EAA692FF19B957BAC2BEE2A1687CC4161D5ACC9F7D5A45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898641Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:45.299{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90DB4E7FC87FFF529B1094A32591DDAC,SHA256=797BA1574951A4867C77CC44D566C1298504F1A2BBB2D0FF3521B256D12242DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:46.718{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B953733C8D0D4C39724D15AAB3746DBF,SHA256=BB461263D12D444A8E08CA5F07059CFA58365BC444F7F4B4983712B58E832C4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898642Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:46.361{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45FC988C726A183230AD4C0D11707A56,SHA256=F960F9D367595C91781BA59DBD7B16C4F439BDBFD7AA11678B5D5CA18026B6A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015898657Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:47.517{B81B27B7-E7DB-60DD-202A-00000000C701}56322776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015898656Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:47.392{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3167B89FCE6F44FB2245EC429A53C52,SHA256=20E1EF8B3CD411FB638F5A003E6F97C30F335DFC8D612FB2819575E217774FA8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015898655Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:47.376{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E7DB-60DD-202A-00000000C701}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898654Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:47.376{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898653Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:47.376{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898652Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:47.376{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898651Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:47.376{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898650Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:47.376{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898649Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:47.376{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898648Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:47.376{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898647Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:47.376{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898646Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:47.376{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898645Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:47.376{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E7DB-60DD-202A-00000000C701}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898644Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:47.376{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E7DB-60DD-202A-00000000C701}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898643Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:47.377{B81B27B7-E7DB-60DD-202A-00000000C701}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007987845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:48.092{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32F75287EDCEA5ADE9597D9E3ACDA2BA,SHA256=3C5F89AFCCD1FDB782BDC076CC59FE91014EF32FE0062F338E0A84DC655C53E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015898687Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:48.845{B81B27B7-E7DC-60DD-222A-00000000C701}43483132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898686Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:48.720{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E7DC-60DD-222A-00000000C701}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898685Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:48.720{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898684Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:48.720{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898683Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:48.720{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898682Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:48.720{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898681Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:48.720{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898680Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:48.720{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898679Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:48.720{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898678Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:48.720{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898677Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:48.720{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898676Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:48.720{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E7DC-60DD-222A-00000000C701}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898675Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:48.720{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E7DC-60DD-222A-00000000C701}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898674Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:48.721{B81B27B7-E7DC-60DD-222A-00000000C701}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015898673Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:48.611{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59E978939611C72AFB122A8E4DE38F12,SHA256=A2284DC44DD3031F3E866003A3FFAA435B6D374B1AF2F6C346FF0B626842BCDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898672Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:48.423{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67BB12542EEFF263F39F8581FB7B33C2,SHA256=2C4D4A70854BBC48A3564B7A6E370AB6602EE0CFC1FE2103D3D0917919AF4DAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015898671Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:48.189{B81B27B7-E7DC-60DD-212A-00000000C701}18842032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898670Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:48.048{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E7DC-60DD-212A-00000000C701}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898669Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:48.048{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898668Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:48.048{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898667Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:48.048{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898666Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:48.048{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898665Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:48.048{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898664Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:48.048{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898663Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:48.048{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898662Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:48.048{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898661Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:48.048{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898660Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:48.048{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E7DC-60DD-212A-00000000C701}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898659Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:48.048{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E7DC-60DD-212A-00000000C701}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898658Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:48.049{B81B27B7-E7DC-60DD-212A-00000000C701}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007987847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:47.348{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62169-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007987846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:49.451{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EA85448D20E94379DFEE18EA67CFD93,SHA256=5BE9C62C590EBA7601E47940869DD097C2D6FF312BF66990491CF74B7D7AA36F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898703Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:49.985{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C84B0A35E000B6054D6C781557CECF26,SHA256=9CBC4547553314876335F06F54AAF992CD55942E61FD1514DAF4C3DA27FCAB38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898702Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:49.985{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=934A6BBE89813A6EADE797DD55620547,SHA256=B1E6BF1C9A0B110F0B10AC9EA4AB04F6AFF46367B3EC83E0513E3F3C7262772C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898701Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:47.452{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51908-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000015898700Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:49.392{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E7DD-60DD-232A-00000000C701}304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898699Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:49.392{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898698Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:49.392{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898697Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:49.392{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898696Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:49.392{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898695Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:49.392{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898694Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:49.392{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898693Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:49.392{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898692Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:49.392{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898691Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:49.392{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898690Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:49.392{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E7DD-60DD-232A-00000000C701}304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898689Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:49.392{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E7DD-60DD-232A-00000000C701}304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898688Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:49.393{B81B27B7-E7DD-60DD-232A-00000000C701}304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007987849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:50.826{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5074F71C662E78407B55C0D2AA943EE,SHA256=EF8542DBB04C522B36C6E8BF66ED01D7C29D11DA1F7B572996A09DC1AEF6DE71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007987848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:50.826{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6976969E4D3445B96FFA7CD55287C716,SHA256=D36361ACF83B21A78559993637D13011CED727DFF0755FE808D9D75704FA9680,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898704Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:50.799{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CD88298BF78F803B57D929BAD6736C3,SHA256=F6FBDD4792D8E4053BACA37895280EFF94AC123010303A2A145BC4109C195097,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898705Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:51.802{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=137230DF7E5EF7FB4B83A1655C71FFAF,SHA256=4A9D25B60CF6A18883A40AF0552F8A2C5CBCDB36812AE5B5A8B09B6CC4214454,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:52.185{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A46E045337B63B2578B495E6714A133,SHA256=2C8A055A24D6C22CA61F85629D3DE45E10A239D5C08B9915AEDFEA3084EA1FD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898706Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:52.814{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BA9E46E68088A8DA09380F0D79158B0,SHA256=C99E77135F29B11DFA4D47D6E649E810B0D48C67C2AF9E98F7EE94E34B525072,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:53.545{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94BEE31AF096FB60C9AD3162AF8A2E1B,SHA256=BE24184B3FD16B46214D9870676B3766A5EDB6EE2F7911FC19713E859EE32D53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898707Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:53.815{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC3B85BCC107555FBE1982561A2965AC,SHA256=E8F8540811CBB42FD3ED19504B36B69DCD04E2D8C2AFDEC80921A2ADBC3A562B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:54.920{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EB17FF5C7F4C8DCDFE7214E5B935A91,SHA256=CBCB84B90DA2B523FBF5AB01303581C108A5576B002B365980BCE5E7E267DA11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898708Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:54.862{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F46FECEE626522C867776CFDDCD6049,SHA256=500BA89989CC21C2FB57C3544EE85BEBBB461CD21B3D5A35570C4C1C0D881859,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898710Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:55.878{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=285F7BE0FD74C9AD94C8885C13771B3A,SHA256=BFAEC1B906E69185788F5A7399282460B4F80F59009D4EB3D7CAD6A0D55A5FD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898709Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:55.331{B81B27B7-880A-60DC-1000-00000000C701}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F6AAFBB9B5C785E897590B05742CB859,SHA256=262F9F2935AED37554883874451FFB2DEE0308B781CB1153969E1C7BE2326F23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:56.279{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=052564D737B0E9499E7033BFEE5CBB80,SHA256=17CB01D8A016E99DD5DF1B752C0427E7F6096E330CC69649329EB0F267302EB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007987853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:53.254{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62170-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898712Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:56.893{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B4D7B4C5D248BDDBFC9DED71DE31618,SHA256=20FA34AD484E642F143F92901D3B44C1D16E630FE1F0737E58BCE7A77F78745E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898711Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:53.359{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51909-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007987855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:57.639{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFDB382DAEA079EB66E696F2EF294ECC,SHA256=4A4D2E71FA7B02903AADB5DCCBE8B7577A9DECC1C77A2923ED34224E4E45C4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898713Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:57.940{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F86611CF529E5BA168006D49A4F89D9F,SHA256=707C577693E9CC1409951FBC8250E6DAB03C23ACBCD35EA520F2736035AE3E8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898714Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:58.987{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=288B2A364D58575D4BED8CACA76350E0,SHA256=E564B041430DE7170830A27FD8B13C3CA3F7A34B72228D37F823B6DEE5A2C1E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:59.686{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C22F568FD792BBA5D6CBC295DF5996B2,SHA256=CC4E514065FB0B97C5D2A119F0EAC21A212982E2BADA755E7F9127E500E91E8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007987856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:59.014{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=775F29B9875FB4B7CF419F3187A36524,SHA256=33ECA7D4E882113F848F5EB9476C74F85644CDF28AA84BABB6654BC00D891FBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007987860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:00.373{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D9F5D0580582C6D5E4C7929F945BC68,SHA256=2C3AA48CC20569AC001A049CD6D0DCB47498B4CCC6556D7836DF91C9CFBCC601,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007987859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:57.553{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62171-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x80000000000000007987858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:57.553{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62171-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x800000000000000015898716Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:05:58.468{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51910-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898715Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:00.003{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F26DE1588DEFD25538D8565098FCF79,SHA256=4A94E8953AB0E8EEAC639591B90D4F9655640D63CC1EDFCB335DF4A5A11C3B20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:01.733{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59FB0201512F6B007EC24F65A286C896,SHA256=290167BA08ACC8D463B739373A0E027252F87338FFC1D3DD6EBDAAB44DBDA7D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007987861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:05:58.395{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62172-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898717Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:01.049{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCF78F8BE81DBD4452FF89ACC341AC8D,SHA256=1233427AF440FFBDF3D256A9D681E5B7B7716B983EC46E81C78BCF943AC41095,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898718Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:02.081{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2B745F9F2062E2EA8C70C6D6E7D0EA7,SHA256=60A24700E7195B42133206C9039FF094FA0A662EC11CAC71BFA02841BC0CAFA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:03.108{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAD8E2BEECB143AE08F7EB9EC4FD77C1,SHA256=2E9EE9DCFBAE2927459B3F14348F146FA1FBCDFBE8342B3DC98BBC5764DD2FF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898719Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:03.096{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78E1ADABB76C888963D6488BB913B536,SHA256=2D025C8A3FAD809CE852BA2B7D63222B3A5A8AE15C3805024D6989F3D6667367,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:04.467{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C4C90A79921B39C1E6914A311969ECE,SHA256=2E21F58BCF56FCFC5BDD41B56EA8005C79A1CA088039808667153595EB6FA8D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007987864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:01.614{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61969- 23542300x800000000000000015898720Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:04.127{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=324B46A37FD4488ED929B8483778F77A,SHA256=6726845C3E2F0C3A06328B38A01CDFF2B0DB295B49039EE6C56BAC703F20E02D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:05.842{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3359CB184931FFDCB30D7A2CABDDB977,SHA256=739383CCBB3B4A7A90FACD8A464FEDFDB351D55F2E073809EEF1E3C0BC9779AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898721Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:05.159{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18CFBE8E2F25EC454793E4D155DFD2DE,SHA256=94F80DC6B8374FA45D68D136F79627311CD1DDAA0D790FC4CFE7E9CFEE7D57D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007987867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:04.348{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62173-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000015898723Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:03.546{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51911-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898722Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:06.174{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC7718889A43B565A08E9C445588E5DE,SHA256=C7901077BC0CF76A168CA3FCF7E91FCCF6A2E158DE6A80C537C304E5E84DC38D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:07.525{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F077745D7E6AFCD50567CDEAD388FD5,SHA256=77AB4AD4768F7D346DE1601D3ACA85574D18F69CE9EFCEC76810072EBA05A764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898724Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:07.184{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1947156129B0F5B11694186F2184A299,SHA256=FAEF81C2651D9B7F8492E94C561E960003497AD877D9C81F40DECEABA5668325,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898725Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:08.184{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AF0B9EC5AE94B7FFEF1E33000D08699,SHA256=8FA2187A12E8FCDA393933E91F321BAD169360827BFFA9BBBDEE5DD18FB5EB18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:09.494{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E500DF536BACABAAE06590AD7413FC75,SHA256=035DD76108642DEF75A4A9E4E4296D659D38E6FECE1A5FAFB56ADCE5C9FB8939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898726Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:09.215{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D490AE504F806FE54226600F25A5C325,SHA256=A0EC985845E3EF865CB7017513E5BE5E52472346E243784F55B2A45B68469420,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:10.885{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6683182FF41C768203774AF40893C992,SHA256=B318D085DD126C4B54E5AB4C08CC004A8EE2028675966EDAF183D56184D2AE31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007987870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:10.885{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D63F71699FE5A063BC862BBBF26CC6E,SHA256=949A5316A2417A5E375DC02F87235506BFA2334C5BE9F55B679781E287E160BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898727Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:10.247{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C3DEE0D0944C7951CD67B805DE638D,SHA256=44AD00A862D2A51AB8C4334727B5C30E2EB183111922131DE499B84147E8E0D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898729Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:09.400{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51912-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898728Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:11.262{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5375060496EAADE121DD30ADE29651,SHA256=8B3306E4BC55DB9591F7A7133D26A03789D208095F82DAB36DA09CFC8511ED25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007987875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:10.750{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62175-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007987874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:10.750{3BF36828-DD1D-60DD-2F00-00000000C801}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62175-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007987873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:10.359{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62174-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007987872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:12.260{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E7EB25672D4C98C5F01C3A958AFB070,SHA256=0310BD4FD1BDE2C46735BE1346559DF275E1F4736B28A5AA98ADC81550755094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898730Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:12.309{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96477D7C04A670C74EDADEA328A7F39,SHA256=1CFFA1FD334D3563AB9A932D4FC26CCB0FAE053F8742B3E78A561C74078A875F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:13.619{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE33ED97C44FC7C0BA7E26680A1DCBA7,SHA256=0214C30FC8205628290357EAB197C9662828764AE58C26DD4F3AB1D4AC6B8720,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898731Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:13.340{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EE604D24E3EF2D05FA4D3EBE422DEB6,SHA256=196236A45E51E0DB3E537A9B12C59C8F65E42BF87297352253980D34471E7C5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:14.994{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97114F25C78F97EBAA698FB28E44B328,SHA256=CA493D8DB53A746ECC58BFA66424038659E3130100E9761A520FC21D6CEDB999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898732Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:14.387{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A767E396BF2ACFFD1FA66BE32047AD61,SHA256=15AD1FA60ED7904A022480E7436A85CB19F9B25745413E0D339A0326F0AC6B3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898733Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:15.418{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45B27AB21758FB0DD4D14839863A50AA,SHA256=32F11EE7E6A4FC7B9E86001D43AA71433B36B42460955CEBFA8D1DD0C2E05D7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007987934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.463{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007987933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.463{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007987932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.463{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007987931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.369{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007987930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.369{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007987929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.369{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007987928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.369{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007987927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.369{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007987926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.369{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007987925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.369{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007987924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.369{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007987923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007987922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007987921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007987920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007987919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007987918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007987917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007987916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007987915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007987914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007987913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007987912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007987911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007987910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007987909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007987908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007987907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007987906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007987905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007987904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007987903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007987902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007987901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007987900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007987899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007987898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007987897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000007987896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007987895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007987893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007987892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007987889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x80000000000000007987886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007987880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007987879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.356{3BF36828-E7F8-60DD-DF01-00000000C801}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007987878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.354{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11903FEE46D94E89A547B3D7A759B32B,SHA256=89DB56552CBF599EEBA20DF9AE42AD877ABBA9D3970CF0B7E38E7D8EE0B7C184,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898734Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:16.434{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4B30D8B455DC18BC4C5371DFD12873F,SHA256=7F4DC9D08D2F8801A855A4999C6C219B70DEB3740550DA516F24DA9F171F5D5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.729{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4217188898154B631883F2D3A57284C4,SHA256=BC8D1058C3B0BABE3AD9BBE5B7ED66A25D43145B79F09FB15A2A74C4729F894B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007987990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.166{3BF36828-E7F9-60DD-E001-00000000C801}24923776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.151{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007987988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.151{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007987987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.057{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007987986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.057{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007987985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.057{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007987984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.057{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007987983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.057{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007987982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.057{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007987981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.057{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007987980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.057{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007987979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.057{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007987978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007987977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007987976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007987975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007987974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007987973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007987972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007987971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007987970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007987969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007987968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007987967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007987966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007987965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007987964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007987963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007987962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007987961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007987960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007987959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007987958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007987957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007987956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007987955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007987954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007987953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007987952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007987951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007987949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007987948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007987946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007987944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x80000000000000007987943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007987937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007987936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.041{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007987935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:17.044{3BF36828-E7F9-60DD-E001-00000000C801}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000015898736Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:15.399{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51913-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898735Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:17.434{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C79A66A0394BADE256823CA3C6BB138B,SHA256=85624F0BDD05A6BAF2EC2B9C1201627190BD103A31B36AB40C80F3B52451B558,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:18.401{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=011A69E2A65E3C598C8A372BED049143,SHA256=E27B50A55508990FBFAE4150239ABFD7B6D08C97D3DE198EBD8AAAE9413E45C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898737Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:18.465{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A4C24A10B2E7DD59DD2756BA32E0B3C,SHA256=6AF089F9F9F476CE077029A50B205A06D397B25BD9091F6D0C7572FAC27B4CF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007987994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:16.312{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62176-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007987993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:19.088{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7567EEFA06B2718A7193220415E6B32,SHA256=C5669BE64642BC262AF3B86FD87E79024511817AE6074EC8D41840A3E1B6FF95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898738Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:19.481{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC4F6A996F368409EED7518BC75F8E9E,SHA256=3339671171BF2C64A854171491AB674AC8D2441ACF158CDD0506270738FB2270,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007987997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:20.901{3BF36828-DD1D-60DD-3000-00000000C801}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007987996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:20.526{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDD47280A4355DBD6B321DC46830B7BE,SHA256=296778C091C45B2AC81393FA590192E10A3F52282A3059297E29D96273DA0996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007987995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:20.526{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35C1A532B28EF086A75A4C85097526B6,SHA256=2647E6B92641D42F38BF7CD6448E98217B76FF3B4049C010C05B36E2D8213053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898739Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:20.497{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A07797F19534C69483CA61C8EA492A67,SHA256=7F535DF049C36E521C926002A100179A2F08E7327DB04654DD1A8D2083A6933F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007988056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.963{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007988055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.963{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007988054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.963{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007988053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.963{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007988052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.963{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007988051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.963{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007988050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.963{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007988049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.963{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007988048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007988047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007988046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007988045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007988044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007988043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007988042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007988041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007988040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007988039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007988038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007988037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007988036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007988035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007988034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007988033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007988032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007988031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007988030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007988029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007988028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007988027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007988026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007988025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007988024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007988023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007988022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007988021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007988020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007988019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007988018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007988017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x80000000000000007988016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007988014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007988013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007988012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x80000000000000007988009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007988001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007988000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.950{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007987999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.948{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C8DC05CED3F327EE04A3E3A6D7C50E4,SHA256=752DC1EB941136C1B4305309522DC6C3DF30C5BD8CE22B7E9BF66CFA42F447AC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000007987998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:06:21.651{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d76e93-0x08bc2213) 23542300x800000000000000015898740Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:21.528{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A8967C72D264F94599BEE9086495508,SHA256=8F0305DB3259D6C6E6BC67F0057053DA59A03F9617BCDAD1705D4928AD212C9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:22.635{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE134BAB6D542E20F69534E8FD2E684,SHA256=5C05396249918316707D8261CEADEE95DCC92916311D4FA28F82B814EFDF436C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007988060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:20.093{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62177-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 734700x80000000000000007988059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:22.073{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007988058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:22.057{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007988057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:22.057{3BF36828-E7FD-60DD-E101-00000000C801}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000015898741Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:22.528{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AFB40987517A0328902FFA67E3CB0B5,SHA256=AC56F925395354507EAB9B66EB8328D66F8EA753E9E1E087CEC29C251F60C5A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:23.323{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCF69D4D730B4C57FBAF47AE3504B89C,SHA256=2C378D3CB62C0AEDBB9BE43180C9ECFA7ECAAF54DF93245185F1D813F4365E3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015898743Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:20.446{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51914-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898742Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:23.559{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32C39E95116B3F3D70AAF2C9D67DEE1B,SHA256=840769552A4166637A3524F20A1181E36D85B45BFD6D1A55EEB8DB88D744984C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007988177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.823{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007988176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.823{3BF36828-E800-60DD-E301-00000000C801}22723324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.807{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007988174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.807{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007988173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.713{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007988172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.713{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007988171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.713{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007988170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.713{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007988169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.713{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007988168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.713{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007988167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.713{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007988166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.713{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007988165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007988164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007988163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007988162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007988161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007988160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007988159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007988158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007988157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007988156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 23542300x80000000000000007988155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23AC54D7584C13DB38A7BDABAD1E9473,SHA256=675F37BE3083BDD735637C619779098E34C8FE7162632F863C003D55BC68BA00,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007988154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007988153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007988152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007988151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007988150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007988149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007988148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007988147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007988146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007988145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007988144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007988143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007988142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007988141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007988140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007988139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007988138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007988137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007988136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007988134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007988133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007988132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x80000000000000007988128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007988121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.698{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007988120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.700{3BF36828-E800-60DD-E301-00000000C801}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007988119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:21.390{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62178-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000007988118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.119{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007988117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.119{3BF36828-E800-60DD-E201-00000000C801}41482116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.119{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007988115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.119{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007988114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.026{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007988113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.026{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007988112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.026{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007988111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.026{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007988110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.026{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007988109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.026{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007988108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.026{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007988107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.026{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007988106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007988105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007988104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007988103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007988102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007988101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007988100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007988099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007988098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007988097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007988096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007988095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007988094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007988093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007988092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007988091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007988090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007988089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007988088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007988087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007988086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007988085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007988084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007988083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007988082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007988081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007988080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007988079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007988077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007988076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007988075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007988072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007988064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.010{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007988063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:24.012{3BF36828-E800-60DD-E201-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015898744Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:24.590{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4653AED510B1A68CBEBBD525E734F65F,SHA256=0736D9C70CEB267151836B6DB84C252EE55CF2CA4F8A68B4546447CA38B8C7A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007988234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.557{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007988233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.557{3BF36828-E801-60DD-E401-00000000C801}12043588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.557{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007988231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.557{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007988230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.463{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007988229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.463{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007988228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.463{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007988227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.463{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007988226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.463{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007988225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.463{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007988224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.463{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007988223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.463{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x80000000000000007988222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C16C0442B4F78BCC3EF3FA2F9A0FD4C2,SHA256=122034D6E83B9B49C51CCA57CDD713548E6222CEB0B314CEAB51D10550EF08E3,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007988221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007988220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007988219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007988218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007988217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007988216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007988215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007988214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007988213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007988212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007988211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007988210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007988209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007988208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007988207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007988206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007988205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007988204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007988203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007988202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007988201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007988200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007988199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007988198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007988197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007988196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007988195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007988194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007988192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007988191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007988190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007988185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007988179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.448{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007988178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:25.449{3BF36828-E801-60DD-E401-00000000C801}1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015898745Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:25.606{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F22591E5812C5028FCC2EC700BB25448,SHA256=85A9D4A609ED248B11C8D592908AC1ED51807FFB048613B2DC7119A65ED475EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007988291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.276{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007988290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.276{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007988289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.276{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007988288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.166{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007988287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.166{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007988286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.166{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007988285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.166{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007988284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.166{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007988283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.166{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007988282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.166{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007988281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007988280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007988279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007988278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007988277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007988276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007988275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007988274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000007988273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007988272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007988271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007988270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007988269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007988268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007988267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007988266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007988265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007988264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007988263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007988262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007988261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 23542300x80000000000000007988260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62373EF2BD9655F9BF10AAD545729366,SHA256=660FED136E7502E565487CBAC55CEB4CB9F013293088B0F23B27CC9842C8B0BE,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007988259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007988258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007988257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007988256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007988255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007988254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007988253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007988252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007988251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007988249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007988248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007988245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x80000000000000007988242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007988236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.151{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007988235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:26.153{3BF36828-E802-60DD-E501-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015898746Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:26.621{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0611C04DD7CD7376CD52D37BF5DFE846,SHA256=6FF7E9B7F6AB723527DC2EB5918EC7E7BC3D0C470A15F00DF4A203F65CB07E3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:27.574{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1AF661678110655E6B192DFA48A9A1E,SHA256=195326D31EACC0E6E426594E4CB896E1437EBB02CF42751EB9E017991D3D4AED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898747Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:27.623{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E86B8CB4BAA1769F7B2AC6C9F13BC5BB,SHA256=B1EE6D249883E109860A1AC4D3C51FEA4C343A8C7F0315907455DA8EF59B6C89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898750Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:26.493{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51915-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898749Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:28.638{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E7C1D36CCCA4C878093ED492810AB20,SHA256=0205BB317116E0CAFEA1FAB59E62502780EF0E6DEFA19D30EE9F0A4FD0B5EF1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898748Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:28.419{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007988294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:27.391{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62179-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007988293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:29.074{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD98D9F477EB76AB70F45A6586413748,SHA256=9CA64B0A83BCE3490E230DBE608C4C36594FB58C84FD69B21905630711F08FC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015898752Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:27.713{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51916-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015898751Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:29.638{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C379F53F9D3796664BF26C70226373EC,SHA256=7537E52EF89BEE89ADE64A88349FF3E060943619B8DF8FF9E2C5B897006092AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:30.511{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D29316D11B91752E493F81ACF92181,SHA256=186A1CF0810FF41D55E90CA1C7865F3D95C052D6A7CAF0B6A4F3CAB8486BF637,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898753Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:30.669{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB9A52F8CA8737DD1CB65CDDC27EA2B,SHA256=1B6CE182162496A18FF69175361B7AF77C81D7FBA66EE5BB39D90E404BBA7546,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:31.886{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70A4970C32C50E699717C89481232E57,SHA256=22492665C44746DEA6372C150964508E1955AA11CC487C7439849F0452FF1217,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007988296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:31.199{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADD24B9CC3875E7B92E0633701948719,SHA256=4FD1341F07A29538E58CE1F1220BA2D8115F27F44A994AC7F93B4F8679EA84CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898754Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:31.716{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2885CF7FDF9CC9D904265BB93348199,SHA256=9657DC6BE70E7BF880148D509FD100F13487E8C6338261779B2ACA0AA71052B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898755Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:32.716{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=623A821E5B749DC2816ED3BD7E192726,SHA256=DB9E3ADACF946D78F4963C6533D9C231778978C7BCC91E1C45307C24FF1EA80A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:33.246{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6701F28781A8C28C8A79E7A3E3A366AC,SHA256=46C9C47028812FC5DE6DABF51C350199D6637358817CCB7763A004C89E08F553,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015898757Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:31.525{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51917-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898756Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:33.748{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAC81EC9A5F01749D64307C68E37378C,SHA256=67CA05121FB1ED72EF1F535857C7AFDD2435483813A2F0159FF101EA6DCACECA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007988300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:32.391{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62180-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007988299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:34.621{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E8664F44179DAE713E568F5876295EF,SHA256=AEA281FC2F076E14AB98B33CA3BB5900C7642C080F7675A50CB7B85B9C2AFD93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898758Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:34.826{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEC788BF85FE717B9BEE0A665095E3EF,SHA256=BDA48DE653AA777BA805C288727B8F2E35B10EC0F71080F827D4F0583E27EB0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:35.996{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE6A4991FA4782E9A167E831F20C12FA,SHA256=47FF42614CBE153FCCC3F8EFB069A3131C3AD82E0374835C88CD6C4AD63D5B04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898759Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:35.826{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFB4F0C4E6676B68CF5D13F2DDE21044,SHA256=D5683ACB5A7DCB33BA55B6047291B43BB39F67ADB9B74B1981FAB2770F230ADF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898760Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:36.826{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4984B1ED9DECA91C52F73F6CCAE81318,SHA256=FBE87E0082076BD8B1BC663C1C901811442AEF6FFF4E3342633F01512BC49A27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:37.683{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E1FAF192E1AC5826524373225436BF2,SHA256=9C69D05B111ABAE777C283D1EB0FC363513BE6F0524DF4C0270DD1C56707C2C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898761Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:37.841{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5A7A9BD3BB9A2EAB21ADF6AD88395F,SHA256=4A974FEACA79677048F6E50516280B10B25EA93C5DCCEBAAC075D3C1E09F1016,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:38.699{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F1C95588DF294BFE319936493C840B,SHA256=CAFFE28CE20A791137C4183B4B7EA8A98AD5A75E821085667E020F726EC55DC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898762Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:38.904{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFA531445B97229E43EEE8EA893BEB24,SHA256=02D1D3F69EDA6D323359181D88FBD345F454E7049C993D5D164BE2B4EA42D1D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898763Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:39.950{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ABEFA6999DEC8B66528BC0BAF42A955,SHA256=EF0587B2746176C7E95A4D4A8B0028B7D18E4637DF301519BCB690BA546F900D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:40.730{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2CAB440956B6FFC19EE9479E0371665,SHA256=37510D75E55578D5CD7E0FAB7D8505D0D48BFA73CF798367C475BF11DAB26D90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898765Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:40.950{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61BE7E15BD218FE08681A9852E5B89A0,SHA256=54E257CFC9DBCEF42B2B6B8A18414C8A62032B6553F53DE06BFF4A0DFDF34641,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898764Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:37.369{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51918-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007988305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:38.281{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62181-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898766Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:41.966{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=810EF5430D3489B707F6FA55576044B5,SHA256=4665EB832CD5D18C0C8DBFD6630580C4B99045943AE77810CAD16C140BFAA89B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:42.449{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=804B0E33A6DCACC291B33E6383FD0F12,SHA256=F876F4861CA1ECB0326F0E82757308F5D79EEED7424B51B39851972F44B09EE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007988307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:42.449{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=707D4E57DEB53BCB849D3E3FD9349A2D,SHA256=7C26C5CA052F9A50D7EA75D9FE68862EA66BE407E97A86EEA42D9677539584D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007988306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:42.371{3BF36828-DD0D-60DD-1200-00000000C801}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9731BA5E7EA1778B27B0A8F7B62E4DFE,SHA256=33AB7E144F9E2929650E18E336AEBC771FD95CF1EACDEDFA9B6492DC182B7711,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898780Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:42.982{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABAD1B88F01E754C5FB6BAA969FD7C18,SHA256=03843FC74AC86DE4EA7C00BF638FE139916641D3CFDCD130A10949BD55C625C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015898779Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:42.950{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E812-60DD-242A-00000000C701}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898778Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:42.950{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898777Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:42.950{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898776Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:42.950{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898775Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:42.950{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898774Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:42.950{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898773Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:42.950{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898772Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:42.950{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898771Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:42.950{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898770Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:42.950{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898769Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:42.950{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E812-60DD-242A-00000000C701}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898768Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:42.950{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E812-60DD-242A-00000000C701}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898767Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:42.951{B81B27B7-E812-60DD-242A-00000000C701}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007988309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:43.808{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D11371ED6A4D3C84ABB1873F50D76CE,SHA256=C4E13BF13F0FC92F2337A64C63C43C99F9A0DFF1053AB874C63CC4274BC692FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015898794Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:43.622{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E813-60DD-252A-00000000C701}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898793Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:43.622{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898792Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:43.622{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898791Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:43.622{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898790Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:43.622{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898789Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:43.622{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898788Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:43.622{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898787Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:43.622{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898786Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:43.622{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898785Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:43.622{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898784Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:43.622{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E813-60DD-252A-00000000C701}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898783Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:43.622{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E813-60DD-252A-00000000C701}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898782Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:43.623{B81B27B7-E813-60DD-252A-00000000C701}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000015898781Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:43.138{B81B27B7-E812-60DD-242A-00000000C701}5112744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898810Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:44.216{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E814-60DD-262A-00000000C701}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898809Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:44.216{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E814-60DD-262A-00000000C701}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898808Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:44.216{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E814-60DD-262A-00000000C701}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898807Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:44.216{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898806Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:44.216{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898805Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:44.216{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898804Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:44.216{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898803Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:44.216{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898802Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:44.216{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898801Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:44.216{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898800Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:44.216{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898799Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:44.216{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898798Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:44.218{B81B27B7-E814-60DD-262A-00000000C701}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015898797Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:44.200{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7966ADA6E36DB6AAD8D1C062FA2B6D,SHA256=EDBF39AD8DCE9AE999C6CB288E96FD948DD8F42C90D085E5E761FF6B51EF0FEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898796Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:44.044{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BBFAF6C263F036583DBF0A61DCD01B2,SHA256=1B593C084B3A040D08E1E2CC323E9172F5A53835E019215EDF8A39E2AAF236B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898795Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:44.044{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0397B4CD00B8DE99BCD1578F5022FE18,SHA256=82C0F98597C5DB26EA7865DD860310CC2F13845B00854C969CDD69E87FFA1AD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:45.169{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E0DFDBD0BD7D4079C10FAFB5D03271,SHA256=5ABACA2A6C9C3A6946E46948E5392D840E64E538A6273A5951B9421612AD18DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007988310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:43.281{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62182-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000015898813Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:42.494{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51919-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898812Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:45.232{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BBFAF6C263F036583DBF0A61DCD01B2,SHA256=1B593C084B3A040D08E1E2CC323E9172F5A53835E019215EDF8A39E2AAF236B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898811Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:45.216{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2AD1AB5AADBE60212D8C43D1AC1F6F,SHA256=8F5607433C49B021D53DF9D49F8CB304F09AA28833FD8089E94AACC718820E5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:46.542{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7337693140C22608A68C26F4E0502D5F,SHA256=C30D7B38D8C1474FE54968131EA507E0ADB8133DD3638D08B7C80894F43DA672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898814Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:46.216{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=399A5E68CA01C1A9808C551ACBFE6387,SHA256=D48C732EA0F084ED24AD10343D2D3F27DFF844F9D9A80E4EF9BD6A048F3BDC06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:47.917{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2363EB279324A00DFD67B81D1D727E8,SHA256=0CB3B889B91CB5CB8E921BACE29AF6BA30F968A4F9CFF787EE9DDBF6946CAC35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015898829Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:47.574{B81B27B7-E817-60DD-272A-00000000C701}56525808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898828Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:47.387{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E817-60DD-272A-00000000C701}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898827Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:47.387{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898826Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:47.387{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898825Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:47.387{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898824Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:47.387{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898823Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:47.387{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898822Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:47.387{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898821Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:47.387{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898820Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:47.387{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898819Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:47.387{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898818Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:47.387{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E817-60DD-272A-00000000C701}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898817Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:47.387{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E817-60DD-272A-00000000C701}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898816Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:47.388{B81B27B7-E817-60DD-272A-00000000C701}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015898815Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:47.246{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=679F2D81AEDD7384084B2AC581BD1EA9,SHA256=EC2F967F1122673144BF4CE11CFB9394920A4E58126FB1EF2AF88E9C9FB5043C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898861Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.777{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44F77F8EB8303D86913DE58C48E33B82,SHA256=F8A04329D73AFF1085D279C592F1BBE384699F09BA57DFFAB6CEDF712580A439,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898860Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.777{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A3BEF35E860A53A0A7BE689D5437106,SHA256=5BA7A9BE3161F6E0FCB5C8D7023A4FCCDD63E9A900B36D81D4D4B714BB773355,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015898859Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.731{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E818-60DD-292A-00000000C701}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898858Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.731{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898857Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.731{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898856Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.731{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898855Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.731{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898854Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.731{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898853Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.731{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898852Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.731{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898851Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.731{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898850Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.731{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898849Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.731{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E818-60DD-292A-00000000C701}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898848Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.731{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E818-60DD-292A-00000000C701}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898847Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.731{B81B27B7-E818-60DD-292A-00000000C701}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000015898846Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.621{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1500-00000000C701}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898845Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.621{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1500-00000000C701}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898844Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.621{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1500-00000000C701}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898843Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.215{B81B27B7-E818-60DD-282A-00000000C701}20082712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898842Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.059{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E818-60DD-282A-00000000C701}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898841Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.059{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898840Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.059{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898839Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.059{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898838Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.059{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898837Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.059{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898836Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.059{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898835Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.059{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898834Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.059{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898833Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.059{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898832Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.059{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E818-60DD-282A-00000000C701}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898831Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.059{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E818-60DD-282A-00000000C701}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898830Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.060{B81B27B7-E818-60DD-282A-00000000C701}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007988314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:49.276{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C6C2A459EC4D2A14A41EDE4B80E88BE,SHA256=72A5344E6412858FA384BD4C1CE3209F848D59CEC8A5A502F8B38DE901C0AA03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898877Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:49.918{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D1BFFBE20421D4AFE2EBAA7B3B78812,SHA256=3E70DA55AAFA0F23BB1B1681A3E5B06C55E1DA67744D6418028DF8BE061D9BDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898876Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:49.918{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=327827E9655E0602367A9E2808D7C811,SHA256=0B1D02244DD7ECD434F25BCE84C4485B78439CAC1B2262584AABEDBE33142732,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015898875Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:49.621{B81B27B7-E819-60DD-2A2A-00000000C701}60043776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898874Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:49.402{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E819-60DD-2A2A-00000000C701}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898873Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:49.402{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898872Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:49.402{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898871Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:49.402{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898870Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:49.402{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898869Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:49.402{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898868Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:49.402{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898867Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:49.402{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898866Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:49.402{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898865Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:49.402{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898864Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:49.402{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E819-60DD-2A2A-00000000C701}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898863Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:49.402{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E819-60DD-2A2A-00000000C701}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898862Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:49.403{B81B27B7-E819-60DD-2A2A-00000000C701}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007988315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:50.636{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6EB394B6A1393656E6C38E7855E0EC0,SHA256=6D513E5CA1F1A0E43F934719F03E6885C90BC54244C09F8E73D2084AE04974E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898879Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:50.934{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C04D2D12B9EFDE17C5C4D828B341B819,SHA256=4032BB7C3517F9E9EE79C1913C60DACA42FCD1165913E92FE5956797658343BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898878Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:48.524{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51920-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007988317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:48.468{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62183-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007988316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:51.323{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95A8999F9689D3BA6C5DE7C12EEFCA1E,SHA256=4CA18E8304B546B29F7BD07F759E4641B51FED6C8979EF24320185021AA0AC9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898880Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:51.935{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4196796823F789167C5EDC66C0D7FB9C,SHA256=A328495F663E2684CF3C7C1E2B0090120BFC991628805392BDE0006652C96D62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:52.011{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AE82B313B913A6835BFDFFEE8A90724,SHA256=12F9B8C9CE93C2E501839EE14E5249501591BA7A1A5FF4BAE232372074F82522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898881Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:52.978{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0EBB2109B3A1833AC2485A892298627,SHA256=595B118E29AAAD2F54A57549F0271C4BF024CFFC518167E0877DBF8E02A71C3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:53.370{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F7A5083804ED41AD7DE4ADEE0B248A0,SHA256=85665E57B1C8E4BC4173B402CE66AA9873F807079312250F86428B81C58C0AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007988320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:54.730{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB4ED60BE00497174641F26F2CBE79E2,SHA256=328BF0A4D384D1CD0AE1FAE7D9AB05E6B708958C3801CAFEAC4FCE7FEA6FCE71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898882Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:54.012{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3B68A01BFC21A5BC0D3CE6558B44870,SHA256=3693A12B1D888951602524DB4C156C560F179510D292743ED43D99952297566B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898885Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:53.556{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51921-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898884Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:55.340{B81B27B7-880A-60DC-1000-00000000C701}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9DBF6CB457ACD896587CEFC03A41C799,SHA256=DF0D1026ED7CFAEE3B7A5F7289E88E806868E8613EE8E363FA3646569AE68D67,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898883Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:55.012{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F5205ABBDBE8BFD2F58258D8251574,SHA256=C202ADDC45EB035784C4968E926384486B0AC230C084E84B83CF74E38827B63B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007988322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:54.343{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62184-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007988321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:56.105{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4823BD4C7D70CF2BC000CCD3769329DF,SHA256=C73D496D236645E5697622BD8A2C1765F90267A639D8CDEF8FA4D9C546F2E903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898886Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:56.012{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB3E24AC63E22D9828B5E205EDF021ED,SHA256=976F2283290374C55C6E7CEC71922A2DB6F9A874F2575F75BB1F3A3CD98D593D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:57.464{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26C667E259226043BF9FA8A9CF33147F,SHA256=D2F192EDC2DFFCB39E490DBD36AC3DCB5C4F8C5939C3FAA4C5192C49820856F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898887Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:57.043{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3928F922D7AB06C730D2076A51663C03,SHA256=9BD7F9CC49CC89471114A6E9505D1B1AD1A2635A90AE8C71198BD5DC8A67BB81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:58.823{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C33A06AE778261A7EA9D11DABE3DF50,SHA256=5FDB0A75D1AFC10E5DFF49E9B632D0AA73ADE3D7ABA58DBEF750C2E07F654611,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898888Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:58.074{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=735FE2BDCB20BA9065F14EF7B13D8730,SHA256=31149BC723AFA3F1C3CE2A4919E1CC264289BAC6650D2502D7E37B80CF400F92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898889Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:59.121{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0CCD1591082ACFEEE0C500F88261971,SHA256=929F422DDC25C01F46A68DE12377643BFD8E7A435F877BBE94794549700E8E43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007988329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:00.792{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1600-00000000C801}1320C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:00.792{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1600-00000000C801}1320C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:00.792{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1600-00000000C801}1320C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007988326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:00.198{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86B38F8E3E36AE0DB42C6F27EF9E88E3,SHA256=F5F470C14F6A4C60B79A8A33F531FDBC954DADBED2FE33D015D9997F58624350,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007988325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:00.198{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53CEEDBEB0BB822B77C1CA255A775068,SHA256=94451674D46DAD67089D37E8B02BDFDF3FC2197EF9AA796EA569DBF189DEA0D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898890Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:00.121{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7421B1D24B046CBC58DA91362DA6161,SHA256=530AF73A61707BA19FAD67E20989C33A9C28F721D1BBF0FA3E588417248788E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:01.558{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AC75496E77D85E40F61005730B34225,SHA256=403777F27F1E1EC954D52796580BD8391037A3B295615C7A18DC37C16304FB05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898891Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:01.123{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9849F9B524F3F56264A16DF47CD468D,SHA256=96946983A120BB7ED66159B28C4F11FA47DD90F9A2777374FFC560F78012780B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:02.933{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=407A06D620546020F86AF0EB17898ECD,SHA256=C8A4AC6F9F146494BB2E82E8D73EC9A07A8C5ACC8F1A9BB893399E58F4DEB454,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007988331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:06:59.358{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62185-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898893Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:02.152{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23EF569368DE03FF729DB2B9D43DBD0E,SHA256=4237D74A09693A90223B65DBA748A2E87F5E8D4088411F76FC4B089D08EB7129,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898892Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:06:59.430{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51922-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898894Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:03.168{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EFAC1B6FFFD8A4824C82D4E9C2DECDA,SHA256=DB19CB5A85F04FF1847BBAFA986EE45D0D9C961D3D02403478C73A0FA8359E05,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:04.308{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5D5243F82753E5FAAE7A460756E3902,SHA256=89CFB093E011DA29E03D41F11460BF1C8D011B1AA0ABF7C3DB421A96C01A869A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898895Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:04.184{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71A78969AC0722D577E706F583AD3294,SHA256=4C95FB05F7A1A278DC2B9EA2D4A1E9A2B4048E5A763666660671232DC320AE5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:05.667{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0E0F53151C69D70A513D6601E8AE25A,SHA256=D899B9FF2B0B19F0C0C4A7E77B258A4AB37BB86E3D5E4EBD40D52015F2070273,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898896Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:05.199{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7DE14D438940F457D7E29C54DA1EE5D,SHA256=BB986E2CCC4A18E9102DE0855A9FAEF4469D4C574B8D945B4FBB55E3F047BBBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898897Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:06.215{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BAD94DF2CE45EDEA73BB944895EF210,SHA256=2EA02A7720C09A0376F938A8C2B0EF1DF440BB0284A82453D7EADE29FEF050B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007988336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:05.358{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62186-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007988335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:07.042{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BE66700F404AFCCFEC0CF85409823EF,SHA256=D1A2EE5A475929F22F5471EE1D5C6E15D308303719088C4BE3A191FC50EF9B9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015898899Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:04.446{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51923-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898898Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:07.219{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C57A20AB677A578CC7EE8ABC6EC7DDF9,SHA256=10FC2C898C47FB7F2CCE9C1539A569C43201AF3DB7CB41BF6FBE8FFBD93E8016,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:08.406{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C4C743B6A619979D7172D20C7B3AA04,SHA256=761CED9F36DB19AA0495B06604FA6EF014C2B2FE24B4AB8E3449F7A7E651668C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898900Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:08.234{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F06E33A177346111BD91BB53FB66FDAE,SHA256=B05773B052957B7EABE3F67B3485932E874788AF04C1EFF60C895BD5D14C5D4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898901Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:09.297{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C9FF70BAC9570FE1E4A46A69420FF24,SHA256=6BDAB517B763F3FABE0B4AB7ED13A682BD12E3C930C5A20AD9B1F87DFE0B1EF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:10.437{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99C2DC9F1C1BF60A5FC9F8EF17808067,SHA256=298D070B852CE85DEB0C074DF9C9B7BCA5528D2128D52B95DEAD7266FF937D8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007988338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:10.437{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E02B25083EE1D5A542F0B63E8B5D2A3A,SHA256=886AB4346C2BE621E9225AA3619F3E4DFE6FD061D776BD8EBE9E8CF61A802502,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898902Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:10.328{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99937156111C3B5F5C35CF3BD305B42A,SHA256=F15F030C5E498F04D204FBF756EA091B6C92054CA43D660118C1D8BCA5CF3751,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898903Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:11.344{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22540EE7EA3B7B6DBE30F6782B5CCB20,SHA256=053CDB2EE47D95FC6EDA843C7C0FBF6DE31321AC651A278610526128C0A559FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007988342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:10.753{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62187-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007988341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:10.753{3BF36828-DD1D-60DD-2F00-00000000C801}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62187-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x80000000000000007988340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:12.125{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33E37FEB431142328F2342D81E8D19A0,SHA256=831A11824077EABF51D3F7C5557E80A6640B969C7A57517D72996711AF14BDD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898904Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:12.359{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EAD017A058861D83559C9FC7B2C238D,SHA256=9F745ADDA90201912ED2C5B06EC994ABCACE280648AA5FD8288CCCFE2663B0E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:13.500{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=405BA618FFC02C55C34A1A8BA11F86AE,SHA256=F88A1DB36A98DEA6C2902439EE6D2D936B85D25F39AC0427D77D3D3B94538F5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898906Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:13.375{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D484983B9DA774FF7CF64DA831FEDE7,SHA256=CE3AA9B4469CB643116321C0FE07920D5CD4138BE74D07DDFDC932B154567C4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898905Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:10.497{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51924-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007988345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:14.859{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6174D8E6B91A5E32FFCC17BACB03033,SHA256=B811A026AB9D2E80796168FFA8785707AC6CA654E8B1CB894BB65D7C49AABE63,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007988344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:11.377{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62188-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898907Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:14.406{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F90B2465C8C8B4FF7B82B3E81504FC64,SHA256=39DD9798C16AD6525D65B6C8609275BDF13090E4835E2E934D4EB159616FA234,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898908Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:15.469{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E6F10B1A46A5C312B9DEE79CF948483,SHA256=073A863D8AC577B34395D0A46D83D9C08CC533C8276B9232D49CD6E88BAF80A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007988455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.937{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007988454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.937{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007988453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.937{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007988452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.937{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007988451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.937{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007988450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.937{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007988449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.937{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007988448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.937{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007988447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.937{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007988446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007988445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007988444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007988443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007988442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007988441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007988440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007988439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007988438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007988437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007988436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007988435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007988434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007988433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007988432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007988431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007988430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007988429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007988428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007988427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007988426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007988425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007988424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007988423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007988422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007988421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007988420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007988419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007988417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007988416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007988414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x80000000000000007988411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007988404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.922{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007988403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.923{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007988402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.343{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007988401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.343{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007988400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.343{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007988399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.250{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007988398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.250{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007988397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.250{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007988396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.250{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007988395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.250{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007988394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.250{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007988393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.250{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007988392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007988391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007988390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007988389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007988388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007988387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007988386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007988385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007988384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007988383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007988382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007988381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007988380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007988379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007988378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007988377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007988376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007988375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007988374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007988373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007988372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007988371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007988370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007988369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007988368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007988367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007988366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007988365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000007988364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007988363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007988361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007988360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007988357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x80000000000000007988354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007988348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007988347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.236{3BF36828-E834-60DD-E601-00000000C801}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007988346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.234{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C96C6D65E271AF8721676168EFDF23E,SHA256=FCEB512F5573F0A09776C9B44FCEECF3B44C675F19B46BA76E5F0B7BA89001AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898909Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:16.500{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A5BAA3BA146C06D00F74F615E231D2D,SHA256=984E5F26FB80C26D2E75AD91C80705241DF662C48C979BB6737A79CD750F9A17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:17.593{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=988FA8E6B7C59189FF85B0C6AF886CAC,SHA256=B2A2BE681D87B889A42382E70402F7D89DF6A4380465E1651A28C832759473C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007988458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:17.047{3BF36828-E834-60DD-E701-00000000C801}37963804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:17.047{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007988456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:17.047{3BF36828-E834-60DD-E701-00000000C801}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000015898910Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:17.531{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642F6D11AD6CE97B9C87838F5E5B5173,SHA256=161571D4A1758338747ABE213AD62502297AFBA6BD4854217F74A99270B21C6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:18.968{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1445D4CB77CDD9923C0A9FDCB726751,SHA256=989C065C8591E2648DB5FDBA17A24CB367E5E982C93F9E550A35BFD976004EB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007988460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:18.281{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9FB74331E9AB4F19CC7A5D15609B5B4,SHA256=3E28DFDF028EC34869F798E4299BF46FEE237B3D90898AA0F61BB988D4500681,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015898912Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:16.356{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51925-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898911Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:18.562{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=381FDC57908DA9B2DE54219719453582,SHA256=FE55BDEB48CBD2822283D0CB91CCBD5F1A0C59C7E6C0274C5DAD7D67EC9D161B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007988462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:16.410{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62189-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898913Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:19.562{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2DEC93AE4AE221D28C80F058075BFA5,SHA256=1FCCE851CB50136B0D0077739D9F8377DDFE497AD96F772CB4EC9CF32A733979,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:20.906{3BF36828-DD1D-60DD-3000-00000000C801}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007988463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:20.406{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EACC94459D3CE1A3DEE7C36FE966AA4,SHA256=BFC9564672B303B0E6A4EE29140CB18E177345A51ECAF5743D79C88BF3043ED3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898914Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:20.609{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53E061AF61134D35CC518ED99AAEB53A,SHA256=3551BEC9F6D04DD107E1DE1D204F214902F6D9F5662C9D51939D1830F2BC9159,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.828{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9A7DEB5C916123E1A2E9E2661722C52,SHA256=5945AA5AF06C3ABD6FE85E177B8C5E8A4C89703452420270E42B8790C9590C79,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007988525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.265{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007988524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.265{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007988523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.265{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007988522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.172{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007988521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.172{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007988520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.172{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007988519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.172{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007988518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.172{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007988517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.172{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007988516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.172{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007988515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.172{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007988514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007988513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007988512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007988511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007988510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007988509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007988508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007988507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007988506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007988505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007988504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007988503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007988502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007988501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007988500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007988499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007988498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007988497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007988496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007988495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007988494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007988493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007988492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007988491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007988490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007988489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007988488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007988487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007988486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007988485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007988484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007988483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x80000000000000007988482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007988480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007988479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007988478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x80000000000000007988475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007988467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007988466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.159{3BF36828-E839-60DD-E801-00000000C801}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007988465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:21.156{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58F5A4AB1A0B793374A717EC61A8DBE8,SHA256=B2E683534DC1825819E149C0CE12BA617943C5274A8F311450F72D3CDAC32B1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898915Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:21.609{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C73A1FC428EAB93CB5BDC1E134B62C7,SHA256=9A3D4E654AE6AA3A444B35EF9499CCC1351D858C83D2BEF32E25ACE78ED74B16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:22.515{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37347C6C67B9BCA4F828191043A3037F,SHA256=6BF0410B8D1AA002C78E1AF3A4216D8CAAE61D9B41C27F2B174025A94D224383,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007988527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:20.112{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62190-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015898916Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:22.656{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA7EF72E44AE9D7350F456148BF3A508,SHA256=C33C6E389A1B2F9057BF1CBC5959F8F1B8A7C46BD4B1DDC626DCBFA2BC0CDE38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007988581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.906{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007988580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.906{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007988579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.906{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007988578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.906{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007988577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.906{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007988576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.906{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007988575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.906{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007988574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007988573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007988572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007988571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007988570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007988569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007988568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007988567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007988566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007988565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007988564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007988563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007988562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007988561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007988560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007988559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007988558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007988557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007988556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007988555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007988554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007988553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007988552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007988551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007988550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007988549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007988548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007988547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007988546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007988544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007988543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007988542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007988539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007988531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.890{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007988530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.892{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007988529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:23.203{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDBCA9936794D561B63CE2B4A857F726,SHA256=A336B8C47BEB599B268BC2DE61ACE14B78C7E5B0FEB277FC8ACB55FE519EF89F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898917Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:23.656{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D804971EFFC69E33CAFB1A38A9C72BF2,SHA256=2EDBF64EC1C368D79D418C3140DECA6EDFD0A3932F9BC76B964F910022E03939,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007988643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.750{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007988642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.750{3BF36828-E83C-60DD-EA01-00000000C801}35322072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.750{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007988640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.750{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007988639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.656{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007988638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.656{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007988637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.656{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007988636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.656{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007988635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.656{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007988634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.656{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007988633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.656{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007988632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.656{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007988631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007988630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007988629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007988628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007988627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007988626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007988625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007988624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007988623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007988622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007988621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 23542300x80000000000000007988620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A6B5A571222AC8357A28570AB06A780,SHA256=4ABAE7B2A8C3E1F53FB72EAE1DC35FA056AC0300E86A4FD386DBA1678B10A82E,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007988619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007988618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007988617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007988616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007988615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007988614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007988613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007988612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007988611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007988610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007988609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007988608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007988607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007988606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007988605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007988604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007988603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007988601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007988600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007988599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007988596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007988588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.640{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007988587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.643{3BF36828-E83C-60DD-EA01-00000000C801}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007988586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:22.409{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62191-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000007988585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.000{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007988584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.000{3BF36828-E83B-60DD-E901-00000000C801}2936888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.000{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007988582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:24.000{3BF36828-E83B-60DD-E901-00000000C801}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000015898918Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:24.719{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA7ACAE9AF8730B5C8651C834B47A796,SHA256=7129738098173A2647187D921DB4BBAE7A7F3FBD0452518FC26CF233D165CCE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007988700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.469{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007988699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.469{3BF36828-E83D-60DD-EB01-00000000C801}17962904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.469{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007988697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.469{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007988696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.359{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007988695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.359{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007988694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.359{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007988693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.359{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007988692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.359{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007988691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.359{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007988690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.359{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007988689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.359{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007988688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007988687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007988686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007988685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007988684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007988683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007988682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007988681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007988680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007988679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007988678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007988677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007988676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007988675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007988674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007988673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007988672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007988671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007988670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007988669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007988668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007988667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007988666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007988665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007988664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007988663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007988662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007988661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007988660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007988658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007988657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007988654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x80000000000000007988651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007988645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.344{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007988644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:25.345{3BF36828-E83D-60DD-EB01-00000000C801}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015898920Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:25.734{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C765866C32B31135CBC72AF95B4A09,SHA256=7C155441817E89F6C16DE12BBFF430A92E1E6B3362C15123BEC185881966BC8B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898919Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:22.341{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51926-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007988758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.703{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=075266CC25F70A3C654E73A72F08EC9D,SHA256=507334EC13A58A5DD959699F7BEE1A6CEE322A8CF2AAADE092B634CDB8CA676E,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007988757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.156{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007988756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.156{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007988755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.156{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007988754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.047{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007988753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.047{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007988752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.047{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007988751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.047{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007988750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.047{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007988749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.047{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007988748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.047{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007988747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007988746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007988745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007988744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007988743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007988742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007988741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000007988740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007988739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007988738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007988737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007988736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007988735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007988734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007988733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007988732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007988731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007988730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007988729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007988728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007988727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007988726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007988725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 23542300x80000000000000007988724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B234B438F8AADBA4A7C6B0A9F5F21119,SHA256=A6E65608A4BD475FB5290A7D52A74B8BDAEB7BEFBF52D34A91064237CC24F4B2,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007988723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007988722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007988721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007988720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007988719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007988718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007988717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007988715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007988714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007988713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x80000000000000007988710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007988702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.031{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007988701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:26.033{3BF36828-E83E-60DD-EC01-00000000C801}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015898921Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:26.734{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4C10BFF49E3CF08BE171D1A460365F1,SHA256=FF6FF8C28416DC2C65557135197B23A8782EEA4D880A2BA3327CCAF2980752F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:27.454{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F478BE7039FFA36BC20384A1C426D0C,SHA256=DF2FB7EEE3F44B40AA15BD24F5461BF27434329A6BDEFD0C6A750DCEF736EFBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898922Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:27.751{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DADDD045AFA34CC4D792C5BEA2CAF5D2,SHA256=D13BDEB64312391D3071E432EF0B47D9B27E0FB10C9A3B7344CAD91A77DA602C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:28.892{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=383FD72681EABB6751D89B0960882CBD,SHA256=FE8F900AE4C3756637D118F855997EA9BF25919C81CE28D0308D9C0237DC6422,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898924Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:28.798{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=118F59D1B0F4CEACF902D7BB56B2BCC4,SHA256=B4318618A53C5AF86082CAD97B331A61E6F9A4124A15B2DFFB329A723AE0EBA8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898923Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:28.438{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898927Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:29.798{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A62D55192F825535F73E81742DFB539E,SHA256=959DAF36A6B76F7034229D35AC33AA6F5BE6374913404DAA0979F3EAB4B5FBF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015898926Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:27.733{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51928-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x800000000000000015898925Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:27.482{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51927-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007988762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:28.253{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62192-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007988761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:30.392{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B2788452624B1D83D94180BEDFDDD08,SHA256=EA38D4DECBD71D2F91EEB0F53E4CDA4322DDB82F73CF4639C7CAE6A3DC25A45A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898928Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:30.845{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3506D91B59CFC9821AFF7E4AB97B78EC,SHA256=70B53878361B42628983DA6E9A17711CC4E6A59F43C2D0DA2BCD45CFBF16C1CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:31.751{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAAD2888D60BF9093F547D5A706757EC,SHA256=10A46238FDD67485A5DEDCCB50E17B3ADAFD5E7C245CF6C51DEF709F1D1661F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007988763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:31.751{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=999173DD0F1C25E33DCE1215CC113501,SHA256=4F0ED0D6B22AF500D1EA15A1785963C7597638131993E36E34C6DC086FF76CB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898929Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:31.860{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=074C3DB79639DC884D08C71FDD7280A3,SHA256=8E8ECC190B610C4001DBFFD0963A888BC065E971EF96FDFEE6A93529CCF55851,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898930Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:32.876{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4BF9A5111B79D7622D314361A9C520D,SHA256=2AFB0118CCA356F9B6E4183CB10703E8DF670239BC58148C9E5784309305E6F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:33.126{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D11E2C6BDE7A649D4B24C66E854F8ABB,SHA256=1804B0A7EE42697A807C09A8140E3C28AFE0FDB034B77CD0972759B1263DD2CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898931Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:33.892{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9137EA3820B015FC76140137F9B29E16,SHA256=730097DE21CD0631D638E772115471C4E4CD29EDBE4582650AC82CC742F424C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:34.501{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A909CF4A6F6B7B7B1475802F895E1DC,SHA256=8FB96341D54B358818F63B5CABE66441B5A4569D945B0114663D2821D62785DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898932Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:34.938{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34AEA3AC6C7054725F9D7E666162167E,SHA256=CBC3C0BDA9E42C933E9ABDB8091ACB94F014723848F4418DBAA9613D704105D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:35.876{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DE3302EB0C2D2F753E7752E20ED96AD,SHA256=47E20028AFAED01103E2DA4E7E348C2E18BE79C5C261785B074DEEE9456D530E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007988767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:33.347{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62193-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000015898934Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:33.357{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51929-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898933Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:35.970{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0175A053D3F3B4FCE67C0EA4CACFE7A,SHA256=86B068EBA52D67B1A4D59F2ECA994A711992ABE2ACE630827604367B2E605415,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898935Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:36.985{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D684B08BACF61C8D650B38FE394D9FD3,SHA256=BC48519CB1CC4B6925A0F310B84D2EB0859FF648B82E13EEA5FE4A8781A02CA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:37.236{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21772D854C19D9CCF3C0D12750718359,SHA256=4AB650520AB987B0B70A6D34847479F4B9DE977E0F1B9B35EBC0E711C495A7DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007988770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:38.642{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E4139D10EC1541AE6057B481A60C465,SHA256=76CA85CC80C8FD9396D1027371ECB53C8DBD0DDBCD5A849C2599A404DF0374FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898936Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:38.001{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=426125B703BA5E157225D08B5F266308,SHA256=8EF3B95DD7AFB5EA1185FA611C0DE5499AC8163F8CDBE022CA5105C661DF7C9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898937Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:39.017{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95C79AE45291E0DC5017D0E8C9244727,SHA256=7B9A2C2291FCC6859200AD1D3D9A91373C6E3C02EB9B83700E6F1B06BFFC27C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:40.345{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEA67DE3D6B1463E654E302EB977C58F,SHA256=69EBF1A1E3B41D6717A909141D10A99DF4749DFAF56EC8F17EB5593D4203DDC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015898939Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:38.498{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51930-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015898938Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:40.048{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C738EE4D3975DE3469FEEB1815046859,SHA256=4EAF9A6A041D2C7D0729BF1BE4CDAB76B4D85AFBEA1C251ECBCA5486846E0FC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007988772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:39.316{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62194-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000015898968Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:41.142{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898967Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:41.142{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898966Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:41.142{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898965Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:41.142{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898964Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:41.142{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898963Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:41.142{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898962Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:41.142{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898961Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:41.142{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898960Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:41.142{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898959Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:41.142{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898958Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:41.142{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898957Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:41.142{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898956Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:41.142{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898955Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:41.142{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898954Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:41.142{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898953Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:41.142{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898952Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:41.142{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898951Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:41.142{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898950Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:41.142{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898949Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:41.142{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898948Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:41.142{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898947Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:41.142{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898946Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:41.142{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898945Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:41.142{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898944Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:41.142{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898943Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:41.142{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898942Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:41.142{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898941Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:41.142{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015898940Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:41.048{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF93EE03D748CDC96D0A9F2565532340,SHA256=A70DAD6D9186876C8E62AEDA50ADB0C9849DE19FB088C7DF07935776058AC865,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:42.377{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=120B42783AE20E5E40036619081E4A61,SHA256=7629DE966C14F5F2AA810FFA63CE7BC86F7EFF11018CD18700B2D6BF84480EAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007988774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:42.377{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01518148C1141597E67CA52ED9F61453,SHA256=CA470A628BF71ECBB40F901052167AFAA70161EB2F95A699C7359F19228DEC49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007988773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:42.377{3BF36828-DD0D-60DD-1200-00000000C801}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4AB8E03EE08C28E5136CE4BF6271ED21,SHA256=268F407FB612F991BCC233ACE45A4BCC25354ECAC96ADC53FCC5B1A884F84A5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015898982Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:42.970{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E84E-60DD-2B2A-00000000C701}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898981Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:42.970{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898980Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:42.970{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898979Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:42.970{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898978Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:42.970{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898977Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:42.970{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898976Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:42.970{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898975Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:42.970{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898974Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:42.970{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898973Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:42.970{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898972Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:42.970{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E84E-60DD-2B2A-00000000C701}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898971Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:42.970{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E84E-60DD-2B2A-00000000C701}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898970Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:42.970{B81B27B7-E84E-60DD-2B2A-00000000C701}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015898969Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:42.407{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=331BD1756BEF6E9888B0D43340552B2E,SHA256=382E61E082F766FCD3774389355D31F6651B652772B1A88C0CBCD6259BC60B58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:43.080{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0F1CE5A305DC77C734F951587E1F6F,SHA256=5DFE40BDB14D49B8ACA3A5617F8AB352285721AC008337353648ED7311A9B66B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015898998Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:43.985{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6514F4A2C694CCBBD23E4F5EA0CDA163,SHA256=9D84813A447527BA52D7F32E4E4B50E8F32EFD8C69A11F8F4068E710D3124642,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015898997Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:43.985{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C61DD230FA1193FBDD741567DB1314DA,SHA256=C52494B4863EFEDE8F5110C140A997835BBD9CCEA390D5C708128E5B670E5565,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015898996Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:43.501{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E84F-60DD-2C2A-00000000C701}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898995Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:43.501{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898994Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:43.501{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898993Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:43.501{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898992Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:43.501{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898991Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:43.501{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898990Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:43.501{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898989Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:43.501{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898988Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:43.501{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898987Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:43.501{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015898986Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:43.501{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E84F-60DD-2C2A-00000000C701}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015898985Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:43.501{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E84F-60DD-2C2A-00000000C701}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898984Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:43.502{B81B27B7-E84F-60DD-2C2A-00000000C701}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015898983Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:43.407{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCA7E73E1D0720AD0A3FD7CFF9B2B963,SHA256=55F61EEF8A511B9FC77F62E759CF7BDEA6BB368F7CEB168F2C340E1F81D4EA08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:44.439{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=213DA2F75E75E96B50456B7538C3CFC2,SHA256=CBD2E036072EFBE2845853FC418AAB776F00F160BF85346187447B066D473C61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899013Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:44.532{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4DC6D9932DECA75564D78E38D80A0A,SHA256=E0932B43A4B599D5CC1E2A66D2DC0C25A140B948FF1B214A3A2A00A2A64428AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015899012Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:44.329{B81B27B7-E850-60DD-2D2A-00000000C701}3632308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899011Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:44.173{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E850-60DD-2D2A-00000000C701}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899010Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:44.173{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899009Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:44.173{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899008Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:44.173{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899007Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:44.173{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899006Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:44.173{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899005Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:44.173{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899004Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:44.173{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899003Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:44.173{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899002Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:44.173{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899001Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:44.173{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E850-60DD-2D2A-00000000C701}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899000Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:44.173{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E850-60DD-2D2A-00000000C701}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015898999Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:44.174{B81B27B7-E850-60DD-2D2A-00000000C701}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007988778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:45.814{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5F722918174E1B44F5567FE8AF5B8F2,SHA256=D5BB1BF53F9E58DAC253968B654EAFA5605CFD2A2076B18DC4E5476FEE5822B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899015Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:45.704{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9882BB778AA4BCC62564CC2D8B02DC3D,SHA256=C500F7E3E5B396EFB849D37CE7A716E885A81AB26CE74A3A779A7577B8B4BB0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899014Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:45.204{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6514F4A2C694CCBBD23E4F5EA0CDA163,SHA256=9D84813A447527BA52D7F32E4E4B50E8F32EFD8C69A11F8F4068E710D3124642,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899017Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:46.735{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8959784758B13808ED8128CE79E1B3EF,SHA256=36913F05FF7465A13B6D4E99DA2D77C8AC8749925D8CDFE49711E536BD145B65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899016Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:43.514{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51931-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007988779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:47.188{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A590D5DB2CEB6B54F354D2D83789C6C6,SHA256=FFED04AEFA48D5C41C6C83C155EA57F70B8BAAECE58FDD5F9DE5960D1F5C099D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899032Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:47.740{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A398D67E9EE9A698FA8FD648A103C363,SHA256=A1379917D24BB9FA35E07D73F12659451E2DF4BE41F9947A4A3A2DC515ACF838,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015899031Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:47.537{B81B27B7-E853-60DD-2E2A-00000000C701}50245028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899030Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:47.396{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E853-60DD-2E2A-00000000C701}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899029Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:47.396{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899028Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:47.396{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899027Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:47.396{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899026Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:47.396{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899025Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:47.396{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899024Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:47.396{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899023Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:47.396{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899022Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:47.396{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899021Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:47.396{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899020Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:47.396{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E853-60DD-2E2A-00000000C701}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899019Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:47.396{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E853-60DD-2E2A-00000000C701}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899018Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:47.397{B81B27B7-E853-60DD-2E2A-00000000C701}5024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007988781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:48.540{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AFB36D3886DD675A92B1C1CC5D26CD3,SHA256=96D8F5FFCC12C50F73A08B06910310877AA5EA860576882DF1819F7BF2011954,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007988780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:45.332{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62195-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899062Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:48.771{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6320AA4EEF563D4B43AEE5F3A8635584,SHA256=9F472EA4467A2100ED658AA928B43362ABEACF706720BF5CBCDA3C5D901E18FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015899061Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:48.756{B81B27B7-E854-60DD-302A-00000000C701}50563412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899060Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:48.631{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E854-60DD-302A-00000000C701}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899059Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:48.631{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899058Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:48.631{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899057Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:48.631{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899056Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:48.631{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899055Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:48.631{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899054Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:48.631{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899053Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:48.631{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899052Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:48.631{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899051Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:48.631{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899050Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:48.631{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E854-60DD-302A-00000000C701}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899049Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:48.631{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E854-60DD-302A-00000000C701}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899048Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:48.632{B81B27B7-E854-60DD-302A-00000000C701}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899047Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:48.427{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1C125318665D9B9E38CF469F94A616F,SHA256=C88F3EF13CF28DCB7FD8BEC3E561A94EA93E9BB65B8F9050FC74B08B6351CE2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015899046Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:48.162{B81B27B7-E854-60DD-2F2A-00000000C701}32204180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899045Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:48.006{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E854-60DD-2F2A-00000000C701}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899044Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:48.006{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899043Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:48.006{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899042Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:48.006{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899041Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:48.006{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899040Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:48.006{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899039Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:48.006{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899038Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:48.006{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899037Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:48.006{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899036Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:48.006{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899035Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:48.006{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E854-60DD-2F2A-00000000C701}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899034Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:48.006{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E854-60DD-2F2A-00000000C701}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899033Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:48.007{B81B27B7-E854-60DD-2F2A-00000000C701}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007988782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:49.915{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF95F21FA0119D47E0AA1522967FAB4D,SHA256=585EC7186B641AA65C6EACEABC5358111A9332B29F746B5DF1E0935E9FAF2427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899077Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:49.771{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C68D1BF930567EDA1FABAF2E5C42A07,SHA256=C0B60B2C07DDD6A85AA94292BA21E3AA8CE9B57EB83E91146EC6AE8528D30EA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899076Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:49.709{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82160F422DFC132A9FB24FB32EF09BD2,SHA256=4511471053E9FA7E3E98BBDC7901964C3DDCD1C91EA61082E4D634C62ADACB63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015899075Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:49.302{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E855-60DD-312A-00000000C701}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899074Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:49.302{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899073Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:49.302{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899072Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:49.302{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899071Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:49.302{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899070Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:49.302{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899069Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:49.302{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899068Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:49.302{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899067Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:49.302{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E855-60DD-312A-00000000C701}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899066Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:49.302{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899065Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:49.302{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899064Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:49.302{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E855-60DD-312A-00000000C701}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899063Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:49.303{B81B27B7-E855-60DD-312A-00000000C701}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899078Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:50.803{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CFFBF85910FCA776B095CD1AE39E4A4,SHA256=889F8E919001C17409A6794D8D05362BF6A8F6B2CC136F6916F9D6B3913904D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:51.962{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA9C07ABF35A72AAF721CB5804CCA868,SHA256=6A71583220E8CAE30421E30E0C363B87E4E939417931CA277647E240A0C9B721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007988783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:51.290{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B98EB08901C3EE3B80FE478F217B2EE,SHA256=8C7C3737E7DAFF1DA198182FBBC6859C56270CFB2636ABD3B609451C16F79EE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899080Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:51.834{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1382B52A2F320589603090AA7170C006,SHA256=4C3DADA9CC970E11AE425C95CDC101B9DCCD4C957DD7455C78C8FD8BFFF51A6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899079Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:48.565{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51932-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007988785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:52.650{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6465549CEEB484754060B45AEF08A0,SHA256=CA2AFF7ED9128A9F7282FA48B799831083C0303A1FDA6067CE25B6DD3E6A1981,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899081Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:52.866{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=275D92AC348A2D9BE5DFF8773EC591FD,SHA256=CFAAC9CCAAB29192BC3AB854305262A05EBF65145E8F0890F9F09867CF2DAFB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007988786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:50.354{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62196-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899082Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:53.878{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7F12B23B12B76D416F6A0658C1D83A2,SHA256=93AA8F282F7D3E8CF5B007D43D956760C940BCF443FF7EB7785B74B6565C723F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:54.009{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB7A97EC8F5D62D54659813CF819A6A,SHA256=231B96A61DA9890063950FEA95B6B581DE3DFDD1E21FC3EC323469269F851545,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899083Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:54.912{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=161AFCDD79BF5FEA46BA226840156FC9,SHA256=6A7982CB68FBF94ED70D3C733D9BE8A5597BF239BA59FFEFBDFCEE90859E0620,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:55.384{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6575DF17DFEA165280A74298C63C1012,SHA256=1D3D593E0B62279FE9B9027BAE38EB99843FE72679D165EA5A4AE278102E244D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899085Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:55.944{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEAB3E49D153930F3EE6F899927FF9ED,SHA256=7DADF86188585803C5B704D138BDC84DBF365EE203F0087460CE09608AE6482A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899084Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:55.350{B81B27B7-880A-60DC-1000-00000000C701}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=31B7CCEB2D50CDCE318CE0D4F52D1730,SHA256=DED82AF6090DBFEFC6FE8081C774784A26FE771472D36E4D34BFCF2EFCF7D754,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:56.744{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E1C5F407675869A7E524EB672818392,SHA256=BDB1314541F92A215A46EB73366A2296A74766126E739A10F4460E1F20332B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899087Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:56.975{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD19A00C10825F5FDF009212F1964241,SHA256=011E14C599258059628A29E83A8E560C59A44C94E0F2AF3543C49A566BADA530,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899086Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:54.503{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51933-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007988791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:55.447{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62197-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007988790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:58.103{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2DE96E7077C54AD5A8010A69C650B6D,SHA256=13D146BE06530560FA5F5EAB12195E6BB968AD4F358A7E4C6C038E2E58DCD9BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899088Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:58.037{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=226885A061960AE8759C71D75DD5929C,SHA256=4F2157C56E53F39A06EBBF2604F43D6FFBF060977BC32C855B60F8089B87BF51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:07:59.478{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D01AA1C992578B7E6A7C8B12CDA0C14,SHA256=497A9DCF02B13ABE1D877D81A04E74B5F49A8569A87F932E290CD3F349247BBD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000007988792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:07:59.134{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d76e93-0x42d879b5) 23542300x800000000000000015899089Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:07:59.069{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5E3B9922B618D8F438511918DFD8E86,SHA256=3A87DEC610D10A21093A72E71D0ED7EB1F603DEFED362DAF6AED85AFE8B3CD1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:00.837{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38B8DE03BC1B890B1925CD4E137073EE,SHA256=4652380FF1BD2D23452A05EFCE134DD3B881D7F685374622736AF4C7CCBD6F1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007988794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:00.837{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91E303319EB2BEE4C26E080F1D910838,SHA256=DB2B674C8991FFF6213683960794661AD00FD2BC4B145F910A3537D02A6D7D7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899090Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:00.084{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B591B2C74E7F235D08707820471FB75,SHA256=C67B9686FAEB976BB5C01A3FAEEF6C3F89CFC60C96C0F27865BC30E44DF26017,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899091Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:01.131{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C63DD3F2AA9FCAB9CD05C5F25734CE2,SHA256=FB482C21A8077D98F08D1A65F43A4DFCC338091DB6869177F4B5FD709CF6E023,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:02.212{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B8197C700520544EF34F8A6A82199C1,SHA256=61B900A5536195CF80CC0A66EE09419AE136A59A061B2A61F73A1B64A19A0D2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015899093Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:00.425{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51934-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899092Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:02.131{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D6A9AB54F67C0CC218C99C2E377509A,SHA256=1F2FFE17949B5847665660609E10D2440C6C131AA63B14788D5F62DFD0009081,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007988798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:01.229{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62198-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007988797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:03.572{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6FB7B90772C605C7749DA17DFA58E02,SHA256=BB7A380AB911A5086E422EE45D4F1C0E232640D59F8036F3980747BA71B4D388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899094Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:03.162{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2701E2D66D16B08E3CBEF9F58052944,SHA256=45EEB33910477B681CD1863501A68E24C98D0746E355C65CDBF53B6BD841C870,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:04.931{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77DC0CD741046A439CD427FB3FE0473,SHA256=B6B8C3A016E24F2C5BE41907002749E3C00846FD932AFA999778A0665D3AF334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899095Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:04.209{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=854B41C6300CA630EC528909F476EACB,SHA256=D1F6367EA57109AFA994E09BD743E76E3242842CA6874994D6708E568D66A036,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899096Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:05.225{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAE6117002B5612B4CD0E919D5BA65EA,SHA256=0000328030FF335F7490CA0FE4C74504288450FA3F5F78D010D62956B2FEF612,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:06.306{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=601E6DE1C52850DCDCA1AAC494E2CF12,SHA256=C786E68BA85A1630A898B17C11C1FD943DA5979E0D15502C3153CB244EF6B02E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899097Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:06.225{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20868EE6AA2FB410CB0C90A9A30531A1,SHA256=A9AEEDB0290BAE34AF75A5348B9DC7B560AA3DE444FFE9E9099403F0F111E149,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:07.667{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6272C17EDB2A6713DC7F650AD71945D0,SHA256=6440B8055DA7C45A0B82CD864378F3F742942DEA80BA2794A761AB66F1DF83CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015899099Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:05.456{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51935-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899098Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:07.240{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB247DB15FCFE3AE666988747E4B24FF,SHA256=EEF043C6D4E86E7A5874232221E605989CFBDC27E4A3F4073762A69B7492962C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007988802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:06.307{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62199-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899100Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:08.244{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B2F47743E02A7B813FA7E286AE601C7,SHA256=87A4249AF840F0B0CA540E7521B30558772CE66A690C7EB5E0331C75ECF3CA08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:09.713{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A88EB0AFA4F10FB840093B285EC4C5D4,SHA256=7257CA00351965B80C3DD1310C5547FB6ED1B4FF12EB43EAFA266F9D63FB6435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007988803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:09.026{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDDD49078ACEDC9D2092B35096BEB155,SHA256=E9FBE88D4240B3A13662CB35E8A0169F3FA0D09C57F35B77B4E13A6B7B8915F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899101Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:09.291{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FC43468796DD8DCFCC9B72FD141E98E,SHA256=145A37DFEB4F0A42622DF5CC2FD6A107B83D89F0625E18525F8B151631F9EC4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:10.401{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DDF127C4769B6087A8D1AF352510C8F,SHA256=1428F44D010C57E66D16D1E27E33E0D196B1B61C4FFCEF85455E39EEEC422A9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899102Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:10.322{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84DA604572C502A952ABD49633867F4A,SHA256=2171B318FF84D140189A4D2C21E16486F967284963BF5B4E488FB5FA38F9DF30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:11.417{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A28012240E1F80ABFECE48FE8A511E,SHA256=9846EBEC5C955A7FD4068E089111C7FD32592CD5B05AD6D83C562ED7431F7EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899103Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:11.384{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52947AB99E5CC785F1669563DA592642,SHA256=8CD501E84584FB12B0EDC0C72DBE5B9743377EA0045C9761FE7822F97450CA00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007988808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:10.761{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62200-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007988807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:10.761{3BF36828-DD1D-60DD-2F00-00000000C801}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62200-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x800000000000000015899104Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:12.384{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD63155DDAF8DB144911F4305C389EFB,SHA256=7B90DE129A849C1D4633F4F11E8FEB3F58463871BCDE1B0E3776D3EFC4BE50FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007988809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:11.417{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62201-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000015899106Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:10.491{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51936-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899105Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:13.400{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23FB06A4DCD4482D7EB3443D62E0C56C,SHA256=63F6766C4DD75B28858D775FF363D8C40FAEECCED7C4D139194D4B77C2469982,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:14.104{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=112DBDBD903842F6311EDB0EC0773332,SHA256=9F8B3C232A6BEC1D2135939931B93221652D2C3E9BA5E65E4168C27005CE0E24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007988810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:14.104{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05232317CBF2C76481D5395F2CBFF5F7,SHA256=A29B564C148449E29637129A0D9E4C1B0866475D1AF88E769097A3A3C1FCB5EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899107Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:14.416{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF14429CCAED6E59FBC88B923554605B,SHA256=B299F1CB10BA1F314BEAB6195A81492EBC70DE5CDE2F030990E622C173DB6961,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:15.542{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99029285564F52B421D406EDAB23F602,SHA256=A2E3433A1580984B366AE6C2543CD87736A656C8B82D77F956594B8EC167BE17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899108Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:15.447{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=997D5C65976ED9E7DD2AA3A5CD145ED3,SHA256=A928E59FAF290887C54645C72081333ACA773FF7AA18279914A61DF5C77A98EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007988922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.917{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007988921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.917{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007988920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.917{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007988919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.917{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007988918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.917{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007988917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.917{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007988916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.917{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007988915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.917{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007988914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.917{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007988913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007988912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007988911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007988910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007988909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007988908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007988907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007988906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007988905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007988904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007988903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007988902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007988901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007988900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007988899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007988898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007988897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007988896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 23542300x80000000000000007988895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43825713874D545DB7B896FAD4E4E769,SHA256=AC8CA87AC1CEF34366FBDEC05BF36FF7BB23AE05820C3F2716937E5C80939AA8,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007988894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007988893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007988892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007988891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007988890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007988889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007988888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007988887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007988886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007988885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007988883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007988882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007988881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x80000000000000007988877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007988870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.901{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007988869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.903{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007988868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.323{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007988867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.323{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007988866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.323{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007988865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.229{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007988864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.229{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007988863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.229{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007988862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.229{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007988861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.229{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007988860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.229{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007988859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.229{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007988858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.229{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007988857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007988856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007988855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007988854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007988853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007988852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007988851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007988850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007988849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007988848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007988847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007988846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007988845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007988844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007988843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007988842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007988841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007988840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007988839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007988838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007988837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007988836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007988835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007988834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007988833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007988832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007988831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000007988830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007988829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007988827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007988826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007988823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x80000000000000007988820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007988814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.213{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007988813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:16.215{3BF36828-E870-60DD-ED01-00000000C801}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899109Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:16.462{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA89E0FBB6A9461DA214746A70DD116C,SHA256=CBB72E3EE5A5463D4EDA3D3BF250166C20328B378FF52EA1D76144DC7EA48D31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007988925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:17.010{3BF36828-E870-60DD-EE01-00000000C801}17803768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:17.010{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007988923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:17.010{3BF36828-E870-60DD-EE01-00000000C801}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000015899110Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:17.494{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD3B21C12B420BDBA67FD58FC056458D,SHA256=FD7E9B39CE8868480DBBF94A4FE68E77E0ED238901A0FA2A14170B2E30C9DCF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:18.276{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=758040DE986B371628522A2D2AB3EC2F,SHA256=A3B9BE54F14750DC2A3B91AC7B5369DB42E19AD9E9399368790469BFDA64FDD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015899112Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:16.350{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51937-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899111Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:18.525{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD2D99B20E7886B57AF72192E3E1EEE,SHA256=8C1076D0372A4742639E12B212AD6F6251D72C6BB1B3801CDD301C72ECDF7659,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:19.713{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79F5ACAFD03DC1FA17E789B339E3DD14,SHA256=F0F16CC73C876074EECE9BA5D4F63A294777D52B7825AD568A733B98DA6C895C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899113Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:19.556{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5355E6F8350A05DBF2B0C19D84D6104C,SHA256=B2F89B6D7F219870A519760BA5DB5C520E254A1FCD4F299EB3D142834205F601,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:20.932{3BF36828-DD1D-60DD-3000-00000000C801}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007988928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:17.323{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62202-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899114Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:20.587{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCBD3873048D50C8548E7A228D9EB7CD,SHA256=A3B740F3F1CFB35A9E6D6BBDF70CE71BA6A7A5B0EBCF757311B43D5BFA9BD1E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.823{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEB0A275BC845065E26B7144F7A2D751,SHA256=95FB7F016625FEC63C1E8539E968FFECE33C9E611E49CFC90370EC662B95825B,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007988991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.260{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007988990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.260{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007988989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.260{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007988988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.151{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007988987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.151{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007988986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.151{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007988985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.151{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007988984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.151{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007988983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.151{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007988982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.151{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007988981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.151{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007988980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007988979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007988978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007988977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007988976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007988975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007988974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007988973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007988972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007988971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007988970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007988969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007988968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007988967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007988966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007988965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007988964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007988963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007988962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007988961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007988960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007988959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007988958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007988957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007988956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007988955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007988954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007988953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007988952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007988951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007988950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007988949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x80000000000000007988948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007988946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007988945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007988942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007988940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x80000000000000007988939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007988933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007988932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.140{3BF36828-E875-60DD-EF01-00000000C801}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007988931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C6DF1469D360BCF9C1CD3E109659FE6,SHA256=0C29E85EBC1D1C58AA01F4E02B9F634A0018E0BCC954A947FA4A71E304FD25F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007988930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:21.135{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B18BEB6DDD7D2D560F3D3449281E5EB,SHA256=62F3D1D34941BFE04E6498D0413BA945B85E6555D3E43B9A6F9C881ABE15A855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899115Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:21.603{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=641BD1F288B19E7F0C7504659EE39FAC,SHA256=14715D6EAF44529F652B0AACE2677975D9B1DB00D99870E6D5772A130CE31DD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007988993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:22.510{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F37F870E76F29A22BBFD4F3E872E50C4,SHA256=09EE3BD17A995EB2C43EA52CFEFAF92461ECF69E41C6CF2A9FF58C5D6ED7C8D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899116Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:22.619{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89AE5F99B67E1583A67919F20C1E65CE,SHA256=DC90F7943DF9BF6D9EF55E78E42D676E0AB9EEBB2361664A71F70A7C61AB9B35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007989051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.979{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007989050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.979{3BF36828-E877-60DD-F001-00000000C801}46602876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.979{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007989048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.979{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007989047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.885{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007989046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.885{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007989045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.885{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007989044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.885{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007989043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.885{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007989042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.885{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007989041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.885{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007989040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.885{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007989039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007989038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007989037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007989036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007989035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007989034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007989033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007989032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007989031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007989030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007989029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007989028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007989027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007989026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007989025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007989024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007989023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007989022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007989021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007989020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007989019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007989018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007989017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007989016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007989015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007989014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007989013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007989012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007989010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007989009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007989008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007989005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007988998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007988997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007988996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.872{3BF36828-E877-60DD-F001-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007988995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:23.870{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1A6169C34F9CD26DB292CFEC28AD094,SHA256=2691692F2D53C4EC999EF40683E54300EA937B69586D5B898E1C66F68C451878,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007988994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:20.120{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62203-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015899117Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:23.619{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC842D05978ACB29335C86ED81A0B939,SHA256=4480EEB8A053F23379E604F2756EFA5CDEB1615F5B4491C114634DAD1BBCFF30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007989108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.760{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007989107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.760{3BF36828-E878-60DD-F101-00000000C801}9324688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.745{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007989105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.745{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007989104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.651{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007989103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.651{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007989102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.651{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007989101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.651{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007989100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.651{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007989099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.651{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007989098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.651{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007989097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.651{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007989096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007989095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007989094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007989093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007989092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007989091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007989090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007989089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007989088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007989087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007989086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007989085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007989084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007989083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007989082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007989081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007989080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007989079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007989078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007989077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007989076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007989075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007989074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007989073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007989072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007989071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007989070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007989069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007989068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007989066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007989065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007989063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x80000000000000007989061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007989053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.635{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007989052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:24.637{3BF36828-E878-60DD-F101-00000000C801}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899119Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:24.634{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62322110511A0A179DC294F3CEAC425E,SHA256=E24BA9961CE20E2BED4F25006E271FE85DF3B0B17FD5459572534C105A1912C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899118Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:21.444{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51938-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000007989166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.448{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007989165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.448{3BF36828-E879-60DD-F201-00000000C801}41443680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.448{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007989163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.448{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007989162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.354{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007989161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.354{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007989160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.354{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007989159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.354{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007989158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.354{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007989157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.354{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007989156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.354{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007989155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.354{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x80000000000000007989154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6A88BE10D8C9A6356E34D63FDB074DC,SHA256=ABE8071C89403D36E50CD05DDA8CC42F54F69B1BB74A101124088EF3659F7C89,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007989153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007989152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007989151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007989150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007989149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007989148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007989147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007989146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007989145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007989144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007989143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007989142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007989141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007989140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007989139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007989138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007989137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007989136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007989135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007989134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007989133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007989132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007989131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007989130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007989129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007989128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007989127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007989126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007989124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007989123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007989122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007989119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007989111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.338{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007989110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:25.340{3BF36828-E879-60DD-F201-00000000C801}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007989109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:22.401{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62204-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899120Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:25.651{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29CF417A773D965015D78F533E65B44E,SHA256=692B3C1893ABB8DEA9FE5399DBB0FB620D8C3343FBD2204ECA50A7156AE7581C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007989224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.698{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7B51D719FF95F0A5A6357808C92E55A,SHA256=45E469DCD7B09A6C3E1E454709453CD06F7486DC5D855EF9C5DF9E8ABB6C3193,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007989223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.135{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007989222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.135{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007989221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.135{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007989220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.026{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007989219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.026{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007989218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.026{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007989217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.026{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007989216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.026{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007989215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.026{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007989214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.026{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007989213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007989212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007989211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007989210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007989209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007989208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007989207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000007989206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007989205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007989204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007989203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007989202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007989201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007989200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007989199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007989198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007989197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007989196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007989195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007989194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007989193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 23542300x80000000000000007989192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95DE44ADBBFF97F848919B9BA59E495D,SHA256=91A7C65B1CA655176212A63CE135D1D4E0E9B70253098FE6168A2F4ED4342E13,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007989191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007989190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007989189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007989188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007989187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007989186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007989185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007989184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007989183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007989181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007989180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007989177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x80000000000000007989174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007989168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.010{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007989167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:26.013{3BF36828-E87A-60DD-F301-00000000C801}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899121Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:26.681{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F83C7323E93E9FCE57025B15ED8D52D,SHA256=DE55DB3460C420DD953793175D873A87B249564B685EF914CB62515D0E2DE182,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007989225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:27.385{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CD1701D0EA9A7175C5D1A8783359E49,SHA256=E6C584D154BF037E86947E28B3785D401047D734892F100ED065560F4E43B2FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899122Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:27.712{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCF5211A368440C32EDC971E04FED68E,SHA256=F0F7EF2CC883DAD7D78C06FCF900B9386CD328ACA364AEE178C5960DB8A98019,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007989226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:28.135{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32020C3FD1B18663C4B11F41DD74860E,SHA256=69E583C18F51D39DB8100C0D2B5E2FF72381CDB2CFCD35914895EFCDA625EAA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899125Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:28.712{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA41CEE82710AD9FDCE8785C01F7C809,SHA256=57D5671D3701FF46BB853F85EC632A1DF982491342CF66F3C7989EADDCFBB607,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899124Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:28.462{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899123Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:26.475{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51939-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007989227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:29.635{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F9CFD6C6EC33B2CCD86B1C2087B9CF6,SHA256=DCE4CFB728C8E81627BF863C800C471275F34EB502C3547CFA36394A722A6F94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899126Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:29.743{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F48D5549B071A9BDC807F9255FFD0458,SHA256=9B04C6BCBCF2678B2BAEEF97B7E1D4806E23F11E2F814013A3288194A15339EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899128Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:30.790{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CACCC9C9492C815996EF1B783299DBC,SHA256=1F0F04659F14E9C0884C41979E9FFAD2D14ACE759131B214D7575ABDB0FC51B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899127Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:27.756{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51940-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000007989230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:31.760{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B97F2D824910233225387ECA775C728C,SHA256=067D8A3F07F188EE2C1F5B41368859AE2E318CB42BA487E6CCE6DCCD00776DBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007989229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:28.275{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62205-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007989228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:31.072{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F75A903D1891C4D0D02E4AB984B41F,SHA256=864ED5E93A31BE2BDDE6E52E78D3D83C4E545BB86DB3A28552ADDCC6DE25AAAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899129Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:31.806{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E99DACF7F9A3FDEF360D62BB05FA9D2,SHA256=1F3BDB029990414940323F104C6BB81B534ADFC49FB92F4A63923A8A43DE1447,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007989231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:32.447{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72EF86AB3C78ABD3199DA5D67FE0DF8D,SHA256=DDD2DA5965193AC39F059CCD95A17656D6505ACFD7E15191277C488A1DD850E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899130Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:32.821{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C08F43C9DC05D82A41E95F0ED9B00C00,SHA256=6089DEED0D15D5FD35F64CD86C7E19494993B649F85F9E1261CB132CF5F8D7EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007989232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:33.822{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=327BD01F19403A44CBE131F619733D13,SHA256=58F15F7939ED07311981143C07D25EC755BBD8FA7CF4808DCC0E093595B46A17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899132Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:33.837{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9333DC51FF24BB83ED5D572FA6A2B092,SHA256=1DF197999C0A23737F9E9B5F276626578965B858C4C532463803FC8B362B7FC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899131Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:31.521{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51941-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899133Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:34.852{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D48792E981DEA4DC8547FDFA0F01E450,SHA256=15C8F66F49D78CC6B2E41888EE23D5D4EC4C455F26B2C7C2CCEF55E97EC0F228,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007989234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:33.416{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62206-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007989233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:35.182{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D1973D56DD1659EB19787E4BA55B30B,SHA256=5BC532904D540B1F14308591CF7855884A361B20653653530C0F429D39B14665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899134Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:35.899{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BE2F2D0ADD45E4909E18F39EAEAE59,SHA256=F632B7AF4FB344B058AF1B115C9143FBD7AA9AD0FCEB00AC0679A076C424530D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007989235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:36.557{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F0E8B1F64AA47E380DF0C65F77E110D,SHA256=78E8D4060BEE31AE3CE45125A8C86080C6DA9FF51D5593B232DF7ACEAC0065AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899135Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:36.899{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=979F7EFA72D3FCEF43A6D18C843EE401,SHA256=48FA629362B98BC386E919C71FF517A807001F472844347782129CC96312FD7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007989236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:37.916{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C961F022A1CFF497EDE53B8CA5C1B6FC,SHA256=EA8F8318CDEBB3D7A2EB747D7D3B5C73266EDAD065D64811E0D11AF8F6809C6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899136Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:37.946{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A5D9F6C2973E967C733BBA5FAB56F70,SHA256=E8705CFEE0DA2AC4CC1C0EBD0D2CB157A7E37BB4555A3B27B751CE2DF578E5A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899137Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:38.993{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97508030FE14706437F52CAF858FBC00,SHA256=D071963EDB3CDB3338A6F6DB0352C6D53AA1E84347E131C4AA4E795ABE238DFE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007989237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:39.322{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E61C029B1F42B158EE8F62759170950,SHA256=1E82B675F69B6721773FA2D2283890EC475F5C0C825F411BD6228B64E56104F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015899138Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:37.365{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51942-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007989238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:40.681{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF9DF498E9D4D78701A70CF64B61DD7,SHA256=975D13569763B1B4D36A25505C33EA0F6BC536828B9EBD871D159C76EDD58E07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899139Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:40.009{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=474BD618DD0B6227B14F0924D8E8BB83,SHA256=C2ABF90C2088DC0970950C27BE0C72B238697DB0D2DD39673531F5A1ED98788A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007989240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:39.322{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62207-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007989239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:41.369{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DB9E886E17CDCBE78401AE8D59B04F6,SHA256=39AF29B74563716A8819526EA1190D47CFDD7C4DC054711162C0D3349C027270,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015899142Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:39.071{B81B27B7-8806-60DC-0100-00000000C701}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255ip-10-0-1-255.us-west-2.compute.internal138netbios-dgmfalse10.0.1.15win-host-987.attackrange.local138netbios-dgm 354300x800000000000000015899141Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:39.071{B81B27B7-8806-60DC-0100-00000000C701}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-987.attackrange.local138netbios-dgmfalse10.0.1.255ip-10-0-1-255.us-west-2.compute.internal138netbios-dgm 23542300x800000000000000015899140Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:41.024{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E786482EEDD70B4D4EBC9F0A3D77F380,SHA256=0009E2B92D7DE1A2C361C91D711B305255568B1E1A1F7700BD332DE2CED56809,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007989242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:42.385{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C36B022C8136E10B2987A610ECE64FD,SHA256=F14890F981222022E26E4B5F8F681362FE698724BFFE54F0723937555FFC7BA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007989241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:42.385{3BF36828-DD0D-60DD-1200-00000000C801}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B20F20110F8CDD17E10F66FA045705E2,SHA256=954187255BA7A11051D9678B858B640C6F251666A3DD5BCA2AE41FB7F36D7997,IMPHASH=00000000000000000000000000000000falsetrue 154100x800000000000000015899144Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:42.994{B81B27B7-E88A-60DD-322A-00000000C701}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899143Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:42.040{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F020F8B95075580964191FD98B32646B,SHA256=886498FEC1472757DAD8E4C6F3097CAA7D05EAA37689B8C0C0745001DBBF67FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015899171Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:43.665{B81B27B7-E88B-60DD-332A-00000000C701}36124512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899170Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:43.524{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E88B-60DD-332A-00000000C701}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899169Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:43.524{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899168Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:43.524{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899167Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:43.524{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899166Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:43.524{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899165Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:43.524{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899164Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:43.524{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899163Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:43.524{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899162Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:43.524{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899161Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:43.524{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899160Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:43.524{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E88B-60DD-332A-00000000C701}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899159Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:43.524{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E88B-60DD-332A-00000000C701}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899158Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:43.526{B81B27B7-E88B-60DD-332A-00000000C701}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899157Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:43.134{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58A812FC60F682F5498CBF949AEE863B,SHA256=7869A4338B1EA93101F0975B33B90EA438C122C782F997DBD700E1C51E1D0A82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015899156Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:42.993{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E88A-60DD-322A-00000000C701}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899155Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:42.993{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899154Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:42.993{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899153Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:42.993{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899152Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:42.993{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899151Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:42.993{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899150Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:42.993{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899149Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:42.993{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899148Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:42.993{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899147Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:42.993{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899146Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:42.993{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E88A-60DD-322A-00000000C701}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899145Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:42.993{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E88A-60DD-322A-00000000C701}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007989243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:44.416{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95CBDE98040DE748E5909EDD3DA35EBD,SHA256=8FB986391BF0C307422363DF1B2A9C0FBA14DCD073E41CF56A81E69B431B39FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015899188Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:42.443{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51943-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899187Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:44.180{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B04DFA9C07CCE9CE3DF8C050327E8482,SHA256=F405BDC529AFFCD40BA92962F35ADA7083B5DFA02E5A2C024706A76B5942295F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015899186Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:44.149{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E88C-60DD-342A-00000000C701}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899185Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:44.149{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899184Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:44.149{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899183Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:44.149{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899182Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:44.149{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899181Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:44.149{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899180Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:44.149{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899179Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:44.149{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899178Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:44.149{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899177Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:44.149{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899176Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:44.149{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E88C-60DD-342A-00000000C701}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899175Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:44.149{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E88C-60DD-342A-00000000C701}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899174Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:44.150{B81B27B7-E88C-60DD-342A-00000000C701}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899173Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:44.056{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F7E01D1B4212F6373A3485FE8B030B7,SHA256=7699298E9C53E8211A790AED0A67ED32881A0600ED7250F8CE40CBB8272A3540,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899172Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:44.056{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B66165644C225B5D0105356C66918108,SHA256=5E969FB137B2768BB7D5E57ABCF4B435B94C0FBCF72350CB021ED78A01643F44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007989244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:45.775{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93EB6C886EE138B567F5980DDA12007C,SHA256=19F472EDA41C2D5F9676DC2A9D60EE1C7D6F6BC9A6EF9431A9A685C1E16CC10E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899190Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:45.196{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05702F4C537E8CF31EBA51C9F61DBB86,SHA256=26A449F6EFFACCD66DAE5AD1C43FEDAFD0DEC6053B6CAE25AA3FC0A185AC3842,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899189Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:45.165{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F7E01D1B4212F6373A3485FE8B030B7,SHA256=7699298E9C53E8211A790AED0A67ED32881A0600ED7250F8CE40CBB8272A3540,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899191Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:46.212{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E863CD7DFB6D38F57B71D4F20F8F2500,SHA256=B86D738AF0EEE727C9BC565E884E22848B0E8031F1AB83CCE7FD1D0AC4C23ABC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007989246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:47.152{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DD6638699604D71E768A7AC287A4A52,SHA256=838F77261052850111B64006FD60B40BC96E3D3E20A9857CA2FDDCB00C30A901,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007989245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:44.431{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62208-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000015899216Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:47.559{B81B27B7-E88F-60DD-352A-00000000C701}6965992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000015899215Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:08:47.419{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000015899214Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:08:47.419{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x056118ed) 13241300x800000000000000015899213Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:08:47.419{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d76e8a-0xfd91da07) 13241300x800000000000000015899212Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:08:47.419{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d76e93-0x5f564207) 13241300x800000000000000015899211Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:08:47.419{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d76e9b-0xc11aaa07) 13241300x800000000000000015899210Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:08:47.419{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000015899209Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:08:47.419{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x056118ed) 13241300x800000000000000015899208Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:08:47.419{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d76e8a-0xfd91da07) 13241300x800000000000000015899207Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:08:47.419{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d76e93-0x5f564207) 13241300x800000000000000015899206Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:08:47.419{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d76e9b-0xc11aaa07) 10341000x800000000000000015899205Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:47.403{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E88F-60DD-352A-00000000C701}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899204Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:47.403{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899203Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:47.403{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899202Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:47.403{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899201Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:47.403{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899200Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:47.403{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899199Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:47.403{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899198Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:47.403{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899197Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:47.403{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899196Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:47.403{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899195Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:47.403{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E88F-60DD-352A-00000000C701}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899194Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:47.403{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E88F-60DD-352A-00000000C701}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899193Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:47.404{B81B27B7-E88F-60DD-352A-00000000C701}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899192Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:47.227{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C54643A3F404F03DC15D075DC20C0E59,SHA256=3885B433CEE00A2212F16BD5C44D1EF133B6DD6CEFC1E58A95B2743B77FB7EDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007989247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:48.510{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D12E9B9B3D1A6F03B5BFBCE747BD4BBF,SHA256=D2B2FA97A88FD6EC3B1756BE93B0E34EEE214FF55C20E532DEFDC3CF91B9C69A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015899245Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:48.731{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E890-60DD-372A-00000000C701}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899244Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:48.731{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899243Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:48.731{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899242Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:48.731{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899241Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:48.731{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899240Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:48.731{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899239Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:48.731{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899238Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:48.731{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899237Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:48.731{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899236Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:48.731{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899235Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:48.731{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E890-60DD-372A-00000000C701}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899234Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:48.731{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E890-60DD-372A-00000000C701}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899233Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:48.735{B81B27B7-E890-60DD-372A-00000000C701}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899232Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:48.731{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7DA5212B131C1D397F699D19428D7CB,SHA256=1237692B93936FA1DCFB08C50C789F5301121782139BCF38D7E64E5AB6FFC554,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899231Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:48.731{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BADD236C4210EE9EE5A8A437AAED4D4C,SHA256=ED2646AE18F06B3DD31A8E53DC0F0BC70B0481813B5C700D8711DEBB05DB3C61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015899230Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:48.216{B81B27B7-E890-60DD-362A-00000000C701}908368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899229Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:48.075{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E890-60DD-362A-00000000C701}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899228Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:48.075{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899227Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:48.075{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899226Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:48.075{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899225Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:48.075{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899224Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:48.075{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899223Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:48.075{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899222Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:48.075{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899221Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:48.075{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899220Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:48.075{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899219Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:48.075{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E890-60DD-362A-00000000C701}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899218Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:48.075{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E890-60DD-362A-00000000C701}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899217Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:48.076{B81B27B7-E890-60DD-362A-00000000C701}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007989248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:49.887{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D167EF8902E524BAF4118FCBA2FB8948,SHA256=C1172D5C04524B9BEAF74FCF3FE38AE1D1B7ADB5AF881D480A41902BCEFF24F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899261Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:49.872{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6C2A64279BF3B7A880FACB36D1E6440,SHA256=98E8EEA9B1946E7A93FE0936252AAA9394657CA9FC495D695EF5C5170F6C987A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899260Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:49.872{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB5F156B2668F56E193BC2C6F6D2D3F7,SHA256=D2CE53D71DCEB5CBF082520AAC5F871287B232CF1A0874B4170F7E80BE37BD32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015899259Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:49.544{B81B27B7-E891-60DD-382A-00000000C701}3876668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899258Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:49.403{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E891-60DD-382A-00000000C701}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899257Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:49.403{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899256Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:49.403{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899255Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:49.403{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899254Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:49.403{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899253Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:49.403{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899252Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:49.403{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899251Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:49.403{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899250Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:49.403{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899249Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:49.403{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899248Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:49.403{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E891-60DD-382A-00000000C701}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899247Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:49.403{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E891-60DD-382A-00000000C701}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899246Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:49.404{B81B27B7-E891-60DD-382A-00000000C701}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000015899263Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:48.478{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51944-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899262Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:50.872{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3609CC79261F45B2D38C96008E1C29B9,SHA256=066060189D29C1FF57FCDFAA7CBDF3E7C9EFD21127CF078BEE86FC1140C9DD52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007989250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:51.934{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90966D723B374B033F7D04456AD55E29,SHA256=21985298681CBCD0BBF1971A93836E32E50E9ABD0028A3C7FB8AA94D07C06424,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007989249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:51.247{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9124E8F5D520216E8E2D2F66E6BA5E8E,SHA256=D18B0DD74FDE4DDEE77638BCD0EB4F46B12068E8A74C32850600CD7F4EAE510E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899264Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:51.887{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C44472FA1BC5AA7033C3BEAE92A141,SHA256=3E2842EBF9143CFE5BFE8F0F958D84A9E609762E9678F2CB68B5DF6CBE80D774,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007989252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:52.606{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA1120A55AA8D09BDF4F7256EA538208,SHA256=881A0E3B684AF751541485F41E216594B1E818D902BFDC1567C785D6AE2719C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007989251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:49.449{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62209-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899265Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:52.903{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654A62751290580B5345940696A433BA,SHA256=8BB38A43BC197259979F8E9D8AC45AC5A4142A499ADCDD5585B0B4695DAE3312,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007989253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:53.981{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E33F2F14A5E224E45EFD1705DCAFC59,SHA256=2CA9F19CBE59F5EB7657D47EEBDD5DC67AC38322D0CDE71A575C2665C479A3B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899266Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:53.920{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21124DBF998329FBB676C70B0E0B8CC1,SHA256=F8107D290B259ADFBB87A4C55FC7F9EDBD8D1CC7EED954E3CC078BC360A5D8BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899267Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:54.932{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=891E8699888DB5795C7403A8EC4E94A1,SHA256=03224B21C20D18053D137407338457FE6BD19C77B154EEEE530EF8B1C4101F29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007989254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:55.340{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72083EC6769B4FAD3A978EA5417182FC,SHA256=EE521204BDC897B2D15061BBF1DCB872A13559F246BFB26C9BC90480DA3218FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899278Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:55.935{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667E036E0C8C9C3C00FB7B6631B6496E,SHA256=2BA7A37B6D3A759B5A7B9CD60CFE37641AEB57449669CE5DDF62AD340055A959,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015899277Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:55.776{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899276Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:55.776{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899275Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:55.776{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899274Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:55.776{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899273Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:55.776{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899272Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:55.776{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899271Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:55.776{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899270Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:55.776{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899269Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:55.776{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015899268Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:55.354{B81B27B7-880A-60DC-1000-00000000C701}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E9ECB98F016869E8AC8AEA54652A16E7,SHA256=CF7F3E4A47D0E128DEB8500390B0D348BE44E630DBDD58B7AC81BA21F4C357C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007989256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:56.715{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=949603912670FFE38AD33DAB067B9187,SHA256=768A526092E4E27D8D687247852B77FE220F4D4E638B461E0CFCA48CE3942C4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007989255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:54.465{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62210-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:56.951{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2361E5D43627364C23198F2B9801C9FF,SHA256=603AF7B630B24E97FEBA93708068182D7CC643D806274AE054D97CF9C74B188F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:56.529{B81B27B7-880A-60DC-1600-00000000C701}1208NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\Windows\security\audit\audit.csvMD5=901780EC1F9A9A9FB58D43E2EC7C03C0,SHA256=7321F37E7D50B2672448C6F6284C83EA13189EF9E32BD5535B2204AC3CF5FD41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015899292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:56.513{B81B27B7-880A-60DC-0B00-00000000C701}6401524C:\Windows\system32\lsass.exe{B81B27B7-8806-60DC-0100-00000000C701}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000015899291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:56.513{B81B27B7-880A-60DC-0B00-00000000C701}6401524C:\Windows\system32\lsass.exe{B81B27B7-8806-60DC-0100-00000000C701}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000015899290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:56.513{B81B27B7-880A-60DC-0B00-00000000C701}6401524C:\Windows\system32\lsass.exe{B81B27B7-8806-60DC-0100-00000000C701}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000015899289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:56.513{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:56.513{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:56.513{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:56.513{B81B27B7-880A-60DC-0B00-00000000C701}6402588C:\Windows\system32\lsass.exe{B81B27B7-8806-60DC-0100-00000000C701}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x800000000000000015899285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:53.526{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51945-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000015899284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:56.076{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:56.076{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:56.076{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:56.076{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:56.076{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899279Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:56.076{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1400-00000000C701}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007989263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:55.452{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98751949-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x80000000000000007989262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:55.339{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local389-false10.0.1.15WIN-HOST-98752078- 354300x80000000000000007989261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:55.338{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15WIN-HOST-98752077- 354300x80000000000000007989260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:55.328{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98751948-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x80000000000000007989259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:55.138{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98751947-false10.0.1.14win-dc-128.attackrange.local49666- 354300x80000000000000007989258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:55.137{3BF36828-DD0D-60DD-0D00-00000000C801}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15WIN-HOST-98751946-false10.0.1.14win-dc-128.attackrange.local135epmap 354300x80000000000000007989257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:55.029{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local389-false10.0.1.15WIN-HOST-98758867- 354300x800000000000000015899295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:55.088{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-987.attackrange.local58867-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal389- 23542300x80000000000000007989269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:58.747{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A3AB3455FFC696AD022B2E288C06813,SHA256=2A59700C9615114653754035248AF02E3029263081BE83B324D8F6A58B971F04,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007989268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:55.775{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98751953-false10.0.1.14win-dc-128.attackrange.local445microsoft-ds 354300x80000000000000007989267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:55.774{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98751952-false10.0.1.14win-dc-128.attackrange.local445microsoft-ds 354300x80000000000000007989266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:55.773{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98751951-false10.0.1.14win-dc-128.attackrange.local445microsoft-ds 354300x80000000000000007989265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:55.768{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98751950-false10.0.1.14win-dc-128.attackrange.local445microsoft-ds 23542300x80000000000000007989264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:58.075{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B13EFA278A08FF515B8A3F73F155D194,SHA256=7733C18EF2FBFC0DABD712B87B3D533F62EFB09467E451936CD0D61AF434B73E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015899302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:55.832{B81B27B7-8806-60DC-0100-00000000C701}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51951-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal445microsoft-ds 354300x800000000000000015899301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:55.827{B81B27B7-8806-60DC-0100-00000000C701}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51950-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal445microsoft-ds 354300x800000000000000015899300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:55.511{B81B27B7-880A-60DC-1600-00000000C701}1208C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51949-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal389ldap 354300x800000000000000015899299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:55.387{B81B27B7-880A-60DC-1600-00000000C701}1208C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51948-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal389ldap 354300x800000000000000015899298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:55.197{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51947-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49666- 354300x800000000000000015899297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:55.195{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51946-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal135epmap 23542300x800000000000000015899296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:57.998{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06EC64A6A7F13C1CFCFAE6B3CF2266A5,SHA256=6FC58EFFAEB86A13A0664011FBC5DC6FEEDC9135BCDF6CEC8B9E680ECFC22A90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:55.834{B81B27B7-8806-60DC-0100-00000000C701}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51953-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal445microsoft-ds 354300x800000000000000015899304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:55.833{B81B27B7-8806-60DC-0100-00000000C701}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51952-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal445microsoft-ds 23542300x800000000000000015899303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:59.029{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C28D4BB1A2FC688DF00CE306A0DAF56,SHA256=6A3796D67BC88E476C47C60C4CE4491B73B85AFE670EE938AC78B6B8653046A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007989272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:00.793{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFB5E7BB537644F3D0913EF6BE127F4C,SHA256=237410BC466B7B234FCFAFC9CE62CF10E7F3E4E1C24535CC796A4956368BFC1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007989271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:58.521{3BF36828-DD0D-60DD-1000-00000000C801}372C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse72.43.121.44rrcs-72-43-121-44.nyc.biz.rr.com16892-false10.0.1.14win-dc-128.attackrange.local3389ms-wbt-server 23542300x80000000000000007989270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:00.122{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADCA030CD5F2FBE5B8F839441EC8CF25,SHA256=4F581FA05CC3433AA2C62BC151410A30B2001A8E31B73E59147625798C56D286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:00.045{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25F8877897162FC9624C0E96E91C26D,SHA256=2D229602ED20671D07E468262DAF47995E8A6A5FCBACC1D4CF0E726C250247E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007989273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:01.481{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3BA6FA5D2A1DAC970F0057D7447688F,SHA256=74D699CD6DD08063E545B99433A3BF6C45372F3EDF0498CD66C77BCFDCCDE258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:01.091{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D2A2F8644EDB4AE5E7E4359C262D75,SHA256=FE0F0F299236AD6868D8C5B9D80CFE364B921F0A26B52BEB0DF18C5197AB7290,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007989275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:02.840{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7660692FFA179A680F9144FC0F1B5C9,SHA256=F8235A5766D6F25008D58AA43CC6782F3F60352B6BFD9418DB3B9214FBB00651,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007989274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:08:59.793{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local58198- 354300x800000000000000015899309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:08:59.542{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51954-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:02.123{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1348C4B920FF0232D58BD1834A8468,SHA256=2FC754C5B3C7A7B29D83B2D201E82BBEAF8919741E374DD7A991A6C52725DCDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007989276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:00.308{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62211-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:03.138{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EDBAABCCEBF14F88A3309F004A9069A,SHA256=4F23ABB3E3F49D307F7616ADE356D6CD37CB9EB7EC8EEBBF4B3C9E8D19AA31A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007989277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:04.215{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7AAB52426D4A5B654D8A3E01EFBE1C1,SHA256=B4DE2620CB1082CE68EC86B59875EE7594824E16498E7109F2E80364D67616CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:04.185{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D534813E8F05DA35B80707C97280BFFB,SHA256=BDB28CE477EAE9DB0AE79EB31CBFBBD2CF7B5CE6C61C576D86079F02619BDC3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007989278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:05.575{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61E5D27BA7FA82ACEC32A27C95C42887,SHA256=B8C8A4A127A09C1723B7EF2428559BD35E1CB9EDEAD64148B1823B7F057D0B05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:05.185{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF9FAD14DA1AB31486E4522F283DD6DD,SHA256=9FF6E6B28289D1503F8A358BB71B84763144FFC9E79B830059A983E1345F2CFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007989279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:06.934{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB2B0493830D56745F070DACFDD75732,SHA256=E2DAE4F10CAFB7E8D2C3602EC17DAC1506B1ADADCB8A3AF706FF3AA173CF5FD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:06.201{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=296B7C664042C3E204A7F4B7851287E2,SHA256=CB18A4085D1B0EE2919174A32B7DEF89560EA15F8864BD37CFD1783128F942BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:05.354{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51955-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:07.248{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA4A0425F057BA8E9483E7B00892A241,SHA256=60DC525524AA9A44B9EC2708B9857F01654B3B9A10D616BF138F2C372ABF5D00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007989281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:08.296{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBE6DE487F064B19EE8B5299C96CFD47,SHA256=7CB9642DADA320C3CC274486272CCE01D2685D43EEF860ED1CAA8745DC4A6A5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007989280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:05.340{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62212-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:08.248{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29FA4AA36264836ACB04717402DE6134,SHA256=20DA1C14AFB3B38A8C6953DC8A861F9021DE5FF9BE7C9684B5A5E5DF9BB79F7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007989282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:09.671{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E867C4D75F9E46E361FAE9619E1243F,SHA256=6005DB74043F3BA83525354126172CD6EDD18355BFAACA5F24F3E4647A9ECE0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:09.327{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D76FC3BC92F9212D0DE31E56125AE77,SHA256=2179C6A673BEDA601C2C403701DA277DA58A2F86FBF822118A7ECCB0E49315DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007989283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:10.343{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39711676807F89D0FE607738FFF88D96,SHA256=BBAAA9FAB8F69100F51C30446F478703D2FFDD5C306FE421787DCCA264D1EA0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:10.327{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4B1DDEFAC256DF220DD48AC2AC885FF,SHA256=6E642047DB337CE7917DC9F5F9B0C25A12E3AEE37761FC518FC8EB48492489DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007989284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:11.031{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55AE532B6B033F97FD302B2EA97C9930,SHA256=395CA3E81D603B2511402A7AC2D8D0176198C92EBCCE4CE381E0767E5442459F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:11.342{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DD3311B66B1359E2502483715F7AEC3,SHA256=F62BD7D34A77F43BDD00EA295E5181D6BB479945723311DAA87047E5781DBA4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007989366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.952{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6DtrueMicrosoft WindowsValid 13241300x80000000000000007989365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:12.968{3BF36828-DCF0-60DD-0100-00000000C801}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000007989364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:12.968{3BF36828-DCF0-60DD-0100-00000000C801}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x80000000000000007989363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:12.968{3BF36828-DCF0-60DD-0100-00000000C801}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x80000000000000007989362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:12.968{3BF36828-DCF0-60DD-0100-00000000C801}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000007989361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:12.968{3BF36828-DCF0-60DD-0100-00000000C801}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x80000000000000007989360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:12.968{3BF36828-DCF0-60DD-0100-00000000C801}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x80000000000000007989359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:12.968{3BF36828-DCF0-60DD-0100-00000000C801}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000007989358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:12.968{3BF36828-DCF0-60DD-0100-00000000C801}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x80000000000000007989357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:12.968{3BF36828-DCF0-60DD-0100-00000000C801}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 13241300x80000000000000007989356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:12.968{3BF36828-DCF0-60DD-0100-00000000C801}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000007989355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:12.968{3BF36828-DCF0-60DD-0100-00000000C801}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x80000000000000007989354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:12.968{3BF36828-DCF0-60DD-0100-00000000C801}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 10341000x80000000000000007989353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.968{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.968{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.968{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.952{3BF36828-E8A8-60DD-F501-00000000C801}2576C:\Windows\System32\csrss.exeC:\Windows\System32\sxssrv.dll10.0.14393.3630 (rs1_release.200407-1730)Windows SxS Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationsxssrvMD5=6544F8B9914C8EF44FFD2965D6D6C4DE,SHA256=B9FB6A183039AD35C0BE6D0DEBCB4618E15CF17D385E4886ED457DA23B31AB8B,IMPHASH=00AF6EC553770FC264FB6B6AB7AF069AtrueMicrosoft WindowsValid 734700x80000000000000007989349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.968{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570,IMPHASH=2E790E44628AED89C2CC17E1E4A5CE1CtrueMicrosoft WindowsValid 734700x80000000000000007989348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.968{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007989347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.952{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007989346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.952{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007989345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.952{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007989344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.952{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x80000000000000007989343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.952{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007989342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.952{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007989341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.952{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x80000000000000007989340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.952{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.952{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.952{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.952{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.952{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 10341000x80000000000000007989335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.952{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.952{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.952{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007989332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.952{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.952{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.952{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.952{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007989328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.952{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F501-00000000C801}2576C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000007989327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.952{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000007989326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.952{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000007989325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.952{3BF36828-E8A8-60DD-F401-00000000C801}35043264C:\Windows\System32\smss.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000007989324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.959{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e72SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{3BF36828-E8A8-60DD-F401-00000000C801}3504C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d8 000000b8 734700x80000000000000007989323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-E8A8-60DD-F501-00000000C801}2576C:\Windows\System32\csrss.exeC:\Windows\System32\winsrv.dll10.0.14393.3686 (rs1_release.200504-1524)Multi-User Windows Server DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsrv.dllMD5=7BD8CD73F08B93E856BA2F7E6E93F6D0,SHA256=994340D9BF1DBE04F33544DC8FC4B1F72695AD5054F3409AA5F26743070DE55B,IMPHASH=C8D1A6852C2C1ACB144F54DCE583FF51trueMicrosoft WindowsValid 734700x80000000000000007989322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-E8A8-60DD-F501-00000000C801}2576C:\Windows\System32\csrss.exeC:\Windows\System32\basesrv.dll10.0.14393.2969 (rs1_release.190503-1820)Windows NT BASE API Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationbasesrvMD5=E57547B04ECB8873391616364E94B1FD,SHA256=6A17093974B9F90EC0C18208DD620E63656C86027B2C26EEB05F0606584AAFA2,IMPHASH=37B4D578B2264868FB6A98DD88658A34trueMicrosoft WindowsValid 10341000x80000000000000007989321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.952{3BF36828-DCF0-60DD-0200-00000000C801}3202612C:\Windows\System32\smss.exe{3BF36828-E8A8-60DD-F501-00000000C801}2576C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007989320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.952{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F501-00000000C801}2576C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-E8A8-60DD-F501-00000000C801}2576C:\Windows\System32\csrss.exeC:\Windows\System32\csrsrv.dll10.0.14393.187 (rs1_release_inmarket.160906-1818)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSrv.DLLMD5=F1E2170B311D75405C53DFDFBDB6DC01,SHA256=346BBAB08F552E1DDBAD73DDDFC667CE211410C06CDF84C85E12B7CFC579E7C8,IMPHASH=483DAC0149F3BEB9F4281D2B8414EB83trueMicrosoft WindowsValid 734700x80000000000000007989318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-E8A8-60DD-F501-00000000C801}2576C:\Windows\System32\csrss.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007989317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-E8A8-60DD-F501-00000000C801}2576C:\Windows\System32\csrss.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007989316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-E8A8-60DD-F501-00000000C801}2576C:\Windows\System32\csrss.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007989315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-E8A8-60DD-F501-00000000C801}2576C:\Windows\System32\csrss.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007989314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-E8A8-60DD-F501-00000000C801}2576C:\Windows\System32\csrss.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007989313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-E8A8-60DD-F501-00000000C801}2576C:\Windows\System32\csrss.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007989312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-E8A8-60DD-F501-00000000C801}2576C:\Windows\System32\csrss.exeC:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.ExeMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6trueMicrosoft Windows PublisherValid 10341000x80000000000000007989311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-E8A8-60DD-F501-00000000C801}2576C:\Windows\System32\csrss.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007989301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-E8A8-60DD-F401-00000000C801}35043264C:\Windows\System32\smss.exe{3BF36828-E8A8-60DD-F501-00000000C801}2576C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000007989300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.944{3BF36828-E8A8-60DD-F501-00000000C801}2576C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e72SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{3BF36828-E8A8-60DD-F401-00000000C801}3504C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d8 000000b8 734700x80000000000000007989299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-E8A8-60DD-F401-00000000C801}3504C:\Windows\System32\smss.exeC:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exeMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724AtrueMicrosoft Windows PublisherValid 10341000x80000000000000007989298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-DCF0-60DD-0200-00000000C801}3202612C:\Windows\System32\smss.exe{3BF36828-E8A8-60DD-F401-00000000C801}3504C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007989295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-E8A8-60DD-F401-00000000C801}3504C:\Windows\System32\smss.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007989287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.937{3BF36828-DCF0-60DD-0200-00000000C801}320972C:\Windows\System32\smss.exe{3BF36828-E8A8-60DD-F401-00000000C801}3504C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+3c31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000007989286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.936{3BF36828-E8A8-60DD-F401-00000000C801}3504C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000000d8 000000b8 C:\Windows\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e72SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{3BF36828-DCF0-60DD-0200-00000000C801}320C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 23542300x80000000000000007989285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:12.406{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0486E93CCCE3AAE3E50EBFEEDD44A8D,SHA256=CB352A50975BAC295DFF884D6E4CE8F41E8CA2071102486C8F23A0173BE26C1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015899321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:10.495{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51956-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:12.373{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=272BEDD13D8CD58F1268B8A718CF8D3D,SHA256=06B402492D4723CF1BC924B683A8533C7B5CBAB637408DC8C2F8D167C5C99516,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007989674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.640{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\directmanipulation.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Direct Manipulation ComponentMicrosoft® Windows® Operating SystemMicrosoft Corporationdirectmanipulation.dllMD5=EA7CE188E0D1E66C361C8B87304EACDE,SHA256=9ADCA2B7554173A0FD8833F65935C151B09A5D790F46E9EC4EE25E9622F1159A,IMPHASH=D9F27AFFC8B05CE56A2B9B9CD5B4C9B5trueMicrosoft WindowsValid 10341000x80000000000000007989673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.984{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.984{3BF36828-DD0D-60DD-1600-00000000C801}1320C:\Windows\System32\svchost.exeC:\Windows\System32\pnpts.dll10.0.14393.0 (rs1_release.160715-1616)PlugPlay TroubleshooterMicrosoft® Windows® Operating SystemMicrosoft Corporationpnpts.dllMD5=FFA44FD7FEDA32632E8CE84AD0F9101B,SHA256=2A0746A7876C1A430F9C9A5BE4BE28CAA2FF4F73477651AE5CC74462278F333B,IMPHASH=2AF0358C9B643BA1C759C9C883F150F5trueMicrosoft WindowsValid 10341000x80000000000000007989671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.984{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.984{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.984{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.984{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.968{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\usermgrcli.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)UserMgr API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationusermgrcli.dllMD5=53088C541D573FB17068D8C7FE2C91EA,SHA256=20C4124FDB49FA02F9E90B15E9DBA8E0BBD5A82218038AA636FCFAEDEA1B54EA,IMPHASH=5124BA4251101F1719330C2018DBB582trueMicrosoft WindowsValid 734700x80000000000000007989666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.624{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\credprovhost.dll10.0.14393.4402 (rs1_release.210426-1725)Credential Provider Framework HostMicrosoft® Windows® Operating SystemMicrosoft Corporationcredprovhost.dllMD5=D64A4C4E4CDB8DD6128D4EFAC4118353,SHA256=A503771EBD077D5C5C2EFF2499E074A8B05099A59D68E7668F403EB6DC4A902A,IMPHASH=2B8D4C5C44B72C4C63973FFAB9046281trueMicrosoft WindowsValid 10341000x80000000000000007989665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.968{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.968{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.968{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.968{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.968{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\PhotoMetadataHandler.dll10.0.14393.4169 (rs1_release.210107-1130)Photo Metadata HandlerMicrosoft® Windows® Operating SystemMicrosoft CorporationPhotoMetadataHandler.dllMD5=6FB0850ABAD1E8FDD1F662FCF819262C,SHA256=3EFCA956A159AE40CE292607EC59E4D258BDE13EAB51AFEF270FE55154CFA26E,IMPHASH=C204FCA51D1E4DDB2A7903D799C90765trueMicrosoft WindowsValid 734700x80000000000000007989660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.609{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\InputSwitch.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows Input SwitcherMicrosoft® Windows® Operating SystemMicrosoft CorporationInputSwitch.dllMD5=2B36BB851BC67134276AF104374E1AE7,SHA256=5BBE3DAB8CC51D7979C85F6794AC87EC01033B10381C9975BB82EFDD130C71F8,IMPHASH=9FA3243ACAFF711089EA1F97D1240A36trueMicrosoft WindowsValid 734700x80000000000000007989659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.593{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.Globalization.dll10.0.14393.4169 (rs1_release.210107-1130)Windows GlobalizationMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Globalization.dllMD5=D48D3F64A7718C672CDEC0B7A8CB7695,SHA256=C459390E3E67665FC2413469F8C29544DB9421D14B6C40F68B1674C924898B71,IMPHASH=0280A5811869EFED56B453A140477D51trueMicrosoft WindowsValid 10341000x80000000000000007989658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.937{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.937{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.937{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.577{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\DWrite.dll10.0.14393.4225 (rs1_release.210127-1811)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=BB0ECCB8A72B5926A58433666145D459,SHA256=9C082B0EF00A6E174062634F0421B1179D27BC9077A5C0B1FEB2AA74DBAC2E68,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x80000000000000007989654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.937{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843,IMPHASH=EAA4328F5E33714FA08C71E4AAE43CC1trueMicrosoft WindowsValid 734700x80000000000000007989653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.937{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007989652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.937{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4,IMPHASH=B6A1A16A2B5E910045E998CD7709E966trueMicrosoft WindowsValid 734700x80000000000000007989651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.531{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\d2d1.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft D2D LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationd2d1MD5=E15A420D82314AF63973D7D0AB3BA2DD,SHA256=C264B2FA1F3E67E558E2671807C06270926EF456F4FF83F1F9859B18184F187E,IMPHASH=5F8C6AF7D0781F35A516AEB072DAD045trueMicrosoft WindowsValid 734700x80000000000000007989650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.562{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\d2d1.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft D2D LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationd2d1MD5=E15A420D82314AF63973D7D0AB3BA2DD,SHA256=C264B2FA1F3E67E558E2671807C06270926EF456F4FF83F1F9859B18184F187E,IMPHASH=5F8C6AF7D0781F35A516AEB072DAD045trueMicrosoft WindowsValid 10341000x80000000000000007989649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.906{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.906{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\WindowsCodecs.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B791899A46FD151559658F4F86C3C6F5,SHA256=E559B36A3CC2261C16916F2D49FA351DC4E21E5EC581AC43547ABA16F70CDA7E,IMPHASH=945C5ACF3D7F6243AD6374B1152227D8trueMicrosoft WindowsValid 10341000x80000000000000007989647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.906{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.906{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.906{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.906{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.906{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 10341000x80000000000000007989642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.906{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.906{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 10341000x80000000000000007989640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.906{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.906{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\threadpoolwinrt.dll10.0.14393.4169 (rs1_release.210107-1130)Windows WinRT ThreadpoolMicrosoft® Windows® Operating SystemMicrosoft Corporationthreadpoolwinrt.dllMD5=4D271D6FA08E19B78A99F948FB012F44,SHA256=92D9A5BC0F95FDE6BA83D17925122815BDF3803D949112852C3D97CFBA16D219,IMPHASH=0E03F54121A53AD6BC839C0721A3CECCtrueMicrosoft WindowsValid 10341000x80000000000000007989638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.906{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.906{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.906{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.906{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 10341000x80000000000000007989634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.906{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.890{3BF36828-DD0D-60DD-1000-00000000C801}3724676C:\Windows\System32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6aa58|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.890{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.890{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.890{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.890{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.890{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\mfplat.dll10.0.14393.4169 (rs1_release.210107-1130)Media Foundation Platform DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmfplat.dllMD5=6B3DD2386B60D0003B3A0A1AE706A9C5,SHA256=2DF94FA3C88D5D8AB5A981C0182263B5D8161CE0F96687D2DF7892EB4F25104C,IMPHASH=4B0B41F559164385A004BCC689586F63trueMicrosoft WindowsValid 734700x80000000000000007989627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.874{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\RTWorkQ.dll10.0.14393.479 (rs1_release.161110-2025)Realtime WorkQueue DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationRTWorkQ.dllMD5=1EABA23A7305A232C9A16C14806ED091,SHA256=3AD1A84A56EE0DA68B40D40770787FEED3DCF4A74BE172F01BD837FD680396E6,IMPHASH=41E263D9EB0100A59E34B18CF8F6F725trueMicrosoft WindowsValid 734700x80000000000000007989626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.499{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.UI.Immersive.dll10.0.14393.4283 (rs1_release.210303-1802)WINDOWS.UI.IMMERSIVEMicrosoft® Windows® Operating SystemMicrosoft CorporationWINDOWS.UI.IMMERSIVE.dllMD5=4331AC493E264AF1378E0082194D07A5,SHA256=81B8E123110B9C7A34957B9176791AD86EA874315D4555FDC85CF20975E08D99,IMPHASH=C0750252600F63F4BA1D73794E8FE8C0trueMicrosoft WindowsValid 734700x80000000000000007989625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.499{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.UI.Xaml.dll10.0.14393.4402 (rs1_release.210426-1725)Windows.UI.Xaml dllMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.Xaml.dllMD5=D3AABF7BF9CFBD51194C622C0A6A7D78,SHA256=86F89179208C22EE22AD51820FCE323D0F1EF160F7ABB6EE8AB6F858AB4CDDD9,IMPHASH=B872FEAB4926DE1D74C3DF5AC4E62C2CtrueMicrosoft WindowsValid 10341000x80000000000000007989624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.796{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1700-00000000C801}1472C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.796{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007989622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.796{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1000-00000000C801}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x80000000000000007989621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2021-07-01 16:09:13.796{3BF36828-DD0D-60DD-1000-00000000C801}372\TSVCPIPE-ba6792c9-6e4d-400a-aa85-ef891e925242C:\Windows\System32\svchost.exe 10341000x80000000000000007989620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.796{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.796{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.796{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.781{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\samlib.dll10.0.14393.0 (rs1_release.160715-1616)SAM Library DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMLib.DLLMD5=4C413FEDB1B88DA18059890CE0BC95D1,SHA256=FAD279CE82D1616A533D6E5D3A20543B51FDBDDE4C764E09F6A01C8B0E44218A,IMPHASH=BF11630905AADA27934CD5411323FA5BtrueMicrosoft WindowsValid 10341000x80000000000000007989616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.781{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.781{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.781{3BF36828-DD0B-60DD-0B00-00000000C801}6522840C:\Windows\system32\lsass.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.781{3BF36828-DD0B-60DD-0B00-00000000C801}6522840C:\Windows\system32\lsass.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.781{3BF36828-DD0B-60DD-0B00-00000000C801}6522840C:\Windows\system32\lsass.exe{3BF36828-DD0D-60DD-1000-00000000C801}372C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.781{3BF36828-DD0B-60DD-0B00-00000000C801}6522840C:\Windows\system32\lsass.exe{3BF36828-DD0D-60DD-1000-00000000C801}372C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.781{3BF36828-DD0D-60DD-1000-00000000C801}372388C:\Windows\System32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6aa58|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.781{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.781{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.718{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843,IMPHASH=EAA4328F5E33714FA08C71E4AAE43CC1trueMicrosoft WindowsValid 734700x80000000000000007989606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.718{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4,IMPHASH=B6A1A16A2B5E910045E998CD7709E966trueMicrosoft WindowsValid 18141800x80000000000000007989605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2021-07-01 16:09:13.702{3BF36828-DD0D-60DD-1000-00000000C801}372\TSVCPIPE-ba6792c9-6e4d-400a-aa85-ef891e925242C:\Windows\System32\svchost.exe 734700x80000000000000007989604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.702{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\deviceassociation.dll10.0.14393.0 (rs1_release.160715-1616)Device Association Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdeviceassociation.dllMD5=68139108F7E1D4327BE76289E14C2159,SHA256=05436A7EE5EE877F3EA6B12604D41EFCE288F093AAEE03A906FB7C9A4A76DFDA,IMPHASH=CA757A840D91610BF593E8A2814EB9B3trueMicrosoft WindowsValid 10341000x80000000000000007989603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.687{3BF36828-DD0D-60DD-1100-00000000C801}6401724C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.671{3BF36828-DD0D-60DD-1100-00000000C801}6401724C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.671{3BF36828-DD0D-60DD-1100-00000000C801}6401724C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.671{3BF36828-DD0D-60DD-1100-00000000C801}6401724C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.671{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\dcomp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft DirectComposition LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdcomp.dllMD5=40873566DBFF13981CA1AE23AC281C5D,SHA256=E52C4619C837358454B969D31E2E14ACDEDABB384272D48C03E4F0AF9A2C2B6E,IMPHASH=9651C547656809410E78B358203C1A1DtrueMicrosoft WindowsValid 734700x80000000000000007989598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.484{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\d3d10warp.dll10.0.14393.2608 (rs1_release.181024-1742)Direct3D 10 RasterizerMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10Warp.dllMD5=B69F0419A16A616FE2D779EC98CD7FB9,SHA256=2D10B43F2137433E48A009227487C691E312D186691485D33B4FDF90D8423C9D,IMPHASH=E32C7474360C94A9FE5E17141A4AB35FtrueMicrosoft WindowsValid 734700x80000000000000007989597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.499{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\d3d10warp.dll10.0.14393.2608 (rs1_release.181024-1742)Direct3D 10 RasterizerMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10Warp.dllMD5=B69F0419A16A616FE2D779EC98CD7FB9,SHA256=2D10B43F2137433E48A009227487C691E312D186691485D33B4FDF90D8423C9D,IMPHASH=E32C7474360C94A9FE5E17141A4AB35FtrueMicrosoft WindowsValid 734700x80000000000000007989596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.515{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\d3d10warp.dll10.0.14393.2608 (rs1_release.181024-1742)Direct3D 10 RasterizerMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10Warp.dllMD5=B69F0419A16A616FE2D779EC98CD7FB9,SHA256=2D10B43F2137433E48A009227487C691E312D186691485D33B4FDF90D8423C9D,IMPHASH=E32C7474360C94A9FE5E17141A4AB35FtrueMicrosoft WindowsValid 734700x80000000000000007989595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.671{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007989594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.468{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\OneCoreUAPCommonProxyStub.dll10.0.14393.3808 (rs1_release.200707-2105)OneCoreUAP Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreUAPCommonProxyStub.dllMD5=9F8EF1431E82015CD1918582A770DB35,SHA256=FC2073DCE9AC41DBF338FAFE85F2429D6D3812573D2192C7A906C1D46E0AB4FA,IMPHASH=D919FF32201FBB7C5B3EF498D589EAE4trueMicrosoft WindowsValid 734700x80000000000000007989593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.640{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x80000000000000007989592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.452{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 734700x80000000000000007989591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.515{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 734700x80000000000000007989590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.624{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\samcli.dll10.0.14393.0 (rs1_release.160715-1616)Security Accounts Manager Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMCLI.DLLMD5=AEF1161232D111EEA93F64B203F131AE,SHA256=C1DA3DF389A414AAA26FEEEA28F35AAC202CE3A5CC3AF26B7C0C14EBBC2157F9,IMPHASH=D27BDFF964B5FDB8A5E9B0599333826BtrueMicrosoft WindowsValid 734700x80000000000000007989589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.624{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007989588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.624{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007989587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.437{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\Windows.Gaming.Input.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Gaming Input APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Gaming.Input.dllMD5=6947CE1BEE28DA84EF0F9A9CCAC220D9,SHA256=5350654F9C04864F2A364C368348C1799DB7A949286AD946726D0A3583942386,IMPHASH=AA9A60973CD4BBAFA67132CB2D843B41trueMicrosoft WindowsValid 734700x80000000000000007989586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.624{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\CredProvDataModel.dll10.0.14393.4169 (rs1_release.210107-1130)Cred Prov Data ModelMicrosoft® Windows® Operating SystemMicrosoft CorporationCredProvDataModel.dllMD5=6B8B71ABE125771FEE8A44D0F941CEF3,SHA256=1C7C0865C8BD4CD12867432AC71144923344F596EFA2D7C42DD9EF37F508F519,IMPHASH=E95B43892FF230687F925F53516FD6F3trueMicrosoft WindowsValid 734700x80000000000000007989585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.609{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007989584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.437{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\UIAnimation.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Animation ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationUIAnimation.DLLMD5=7F8B0CD5AB8C3E677B98400A2E7C3A75,SHA256=D49C09FBF9BD077A81CB9DA8DE09D2EB1835BCF5F0153373DCE6B484A0F64227,IMPHASH=BC9606EA9B100715129576DB5908D6A8trueMicrosoft WindowsValid 18141800x80000000000000007989583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2021-07-01 16:09:13.609{3BF36828-DD0D-60DD-1000-00000000C801}372\TSVCPIPE-ba6792c9-6e4d-400a-aa85-ef891e925242C:\Windows\System32\svchost.exe 10341000x80000000000000007989582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.609{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007989581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.609{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1000-00000000C801}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 734700x80000000000000007989580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.437{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\ResourcePolicyClient.dll10.0.14393.3808 (rs1_release.200707-2105)Resource Policy ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationResourcePolicyClient.dllMD5=8FD5FEFE4E020BBC2D95F07BCDC84F71,SHA256=E5E351822CCDEBF81C47C4CA1D5C158E2880C1BD29CA024D163FD9316F3046AE,IMPHASH=E494F732179E765F2CE18BC21CDB1948trueMicrosoft WindowsValid 18141800x80000000000000007989579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2021-07-01 16:09:13.609{3BF36828-DD0D-60DD-1000-00000000C801}372\TSVCPIPE-ba6792c9-6e4d-400a-aa85-ef891e925242C:\Windows\System32\svchost.exe 17141700x80000000000000007989578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-CreatePipe2021-07-01 16:09:13.609{3BF36828-DD0D-60DD-1000-00000000C801}372\TSVCPIPE-ba6792c9-6e4d-400a-aa85-ef891e925242C:\Windows\System32\svchost.exe 734700x80000000000000007989577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.515{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\ResourcePolicyClient.dll10.0.14393.3808 (rs1_release.200707-2105)Resource Policy ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationResourcePolicyClient.dllMD5=8FD5FEFE4E020BBC2D95F07BCDC84F71,SHA256=E5E351822CCDEBF81C47C4CA1D5C158E2880C1BD29CA024D163FD9316F3046AE,IMPHASH=E494F732179E765F2CE18BC21CDB1948trueMicrosoft WindowsValid 10341000x80000000000000007989576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.609{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.609{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.609{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.609{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.609{3BF36828-DD0D-60DD-1000-00000000C801}3721972C:\Windows\System32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6a73d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.609{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.609{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.609{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.593{3BF36828-DD0D-60DD-0F00-00000000C801}3442016C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.593{3BF36828-DD0D-60DD-0F00-00000000C801}3441364C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.437{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\avrt.dll10.0.14393.2969 (rs1_release.190503-1820)Multimedia Realtime RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationavrt.dllMD5=8EC9E2490A9FFA637115F758B22FFF78,SHA256=1A3295CBF09E9367CCE68505D949D724FB9B66B4516770B7D594273C3BCFC5B8,IMPHASH=F266C00A61E480BB0A81B1A89DB30014trueMicrosoft WindowsValid 10341000x80000000000000007989565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.593{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.593{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.593{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.593{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.593{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.593{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.593{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.593{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.593{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.593{3BF36828-DD0B-60DD-0B00-00000000C801}6522840C:\Windows\system32\lsass.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.593{3BF36828-DD0D-60DD-0F00-00000000C801}3442016C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.437{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\d3d11.dll10.0.14393.4169 (rs1_release.210107-1130)Direct3D 11 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D11.dllMD5=EDCE49E7FDE3BD70DF70F05B8C47ACD4,SHA256=864EC8827EB03CDF7F2FC5E318283A7835E600CE548590C59E1DCF8BF8112089,IMPHASH=460DAE5CA92CB705C37D78BE630D6120trueMicrosoft WindowsValid 734700x80000000000000007989553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.515{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\d3d11.dll10.0.14393.4169 (rs1_release.210107-1130)Direct3D 11 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D11.dllMD5=EDCE49E7FDE3BD70DF70F05B8C47ACD4,SHA256=864EC8827EB03CDF7F2FC5E318283A7835E600CE548590C59E1DCF8BF8112089,IMPHASH=460DAE5CA92CB705C37D78BE630D6120trueMicrosoft WindowsValid 734700x80000000000000007989552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.406{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\WinTypes.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=AAA321C636929D23C58B5A78EDA04B61,SHA256=E33D62CC132B8D790B3604DBE227CD2A270E30C1B71881BB4E3B00732CE56E5C,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 734700x80000000000000007989551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.406{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\WinTypes.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=AAA321C636929D23C58B5A78EDA04B61,SHA256=E33D62CC132B8D790B3604DBE227CD2A270E30C1B71881BB4E3B00732CE56E5C,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 734700x80000000000000007989550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.406{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\WinTypes.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=AAA321C636929D23C58B5A78EDA04B61,SHA256=E33D62CC132B8D790B3604DBE227CD2A270E30C1B71881BB4E3B00732CE56E5C,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 734700x80000000000000007989549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.515{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\WinTypes.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=AAA321C636929D23C58B5A78EDA04B61,SHA256=E33D62CC132B8D790B3604DBE227CD2A270E30C1B71881BB4E3B00732CE56E5C,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 734700x80000000000000007989548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.406{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\CoreUIComponents.dll-----MD5=938961BA199F9626C72673E8D67A0D56,SHA256=92414B7F78A45D4DE494F3283B2A33A1F422E32F73C1733AA9071EE0B89ADC5E,IMPHASH=E1E6E93CD96B5C1875509E930B2B8C21trueMicrosoft WindowsValid 734700x80000000000000007989547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.562{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x80000000000000007989546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.562{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x80000000000000007989545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.374{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\ism32k.dll-----MD5=2D64FFE4D9D69749DAE22929EAF7C0E3,SHA256=DE4B60F73BE4265C83E68C80B984F5B06B69DB281E4F1365DBBAFB9D9366D9B1,IMPHASH=5EAAB1EA34F06850795E43CC80F7A946trueMicrosoft WindowsValid 734700x80000000000000007989544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.374{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\WindowsCodecs.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B791899A46FD151559658F4F86C3C6F5,SHA256=E559B36A3CC2261C16916F2D49FA351DC4E21E5EC581AC43547ABA16F70CDA7E,IMPHASH=945C5ACF3D7F6243AD6374B1152227D8trueMicrosoft WindowsValid 734700x80000000000000007989543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.546{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\cabinet.dll5.00 (rs1_release.160715-1616)Microsoft® Cabinet File APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcabinet.dllMD5=08A4A2712DB2AE10E483FB74E46B0E73,SHA256=EEB32E3E4256CC9935227ACD5BA576B75F1F6FE3C818D2127513CB22F823FECB,IMPHASH=536E202FBC448C2C3B40D60D87620951trueMicrosoft WindowsValid 734700x80000000000000007989542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.531{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x80000000000000007989541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.531{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x80000000000000007989540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.531{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x80000000000000007989539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.359{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\dwmghost.dll10.0.14393.0 (rs1_release.160715-1616)DWMGhostMicrosoft® Windows® Operating SystemMicrosoft CorporationDWMGhost.DLLMD5=E90480135CCF153367927193360E1704,SHA256=1E38DCCFBB4E3F7A97ACF9B8F35A27EDA314779E17951B62915BFEF2C4FE1905,IMPHASH=E6DA3EBF6A2D12D95C9048E332A1FCA4trueMicrosoft WindowsValid 734700x80000000000000007989538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.359{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\CoreMessaging.dll10.0.14393.3930Microsoft CoreMessaging DllMicrosoft® Windows® Operating SystemMicrosoft CorporationCoreMessaging.dllMD5=3D9D2F367587B2E93F2868F52D4ACBDD,SHA256=B4B27A7D4B9B685B6015D090B6A3E0E578AFBDE8D6C06A8F2E606A439D5A4BA4,IMPHASH=92CA7117B99353AC45978E95EEB5A46DtrueMicrosoft WindowsValid 734700x80000000000000007989537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.499{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\CoreMessaging.dll10.0.14393.3930Microsoft CoreMessaging DllMicrosoft® Windows® Operating SystemMicrosoft CorporationCoreMessaging.dllMD5=3D9D2F367587B2E93F2868F52D4ACBDD,SHA256=B4B27A7D4B9B685B6015D090B6A3E0E578AFBDE8D6C06A8F2E606A439D5A4BA4,IMPHASH=92CA7117B99353AC45978E95EEB5A46DtrueMicrosoft WindowsValid 734700x80000000000000007989536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.343{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\MsSpellCheckingFacility.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Spell Checking FacilityMicrosoft® Windows® Operating SystemMicrosoft CorporationMsSpellCheckingFacility.dllMD5=C0079D2D05B1563423C2BF0AED09CE87,SHA256=B55921D0A70FC3F5097010F49C6342E47F30F6B6EB4475CC4F7683954A00836E,IMPHASH=BD8E5A2DF0B988B5F76A40E2D1BEBF97trueMicrosoft WindowsValid 734700x80000000000000007989535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.515{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\dxgi.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3C32D763740C83DB2C44DEA4B6F18C54,SHA256=ED26DBB9C3656767CA25887CDC3B45CF978AFC75E064FF5457A36C7A69E55223,IMPHASH=83736A76214A92F5C1B53248D0C22863trueMicrosoft WindowsValid 734700x80000000000000007989534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.515{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007989533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.515{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x80000000000000007989532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.343{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.UI.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Runtime UI Foundation DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.dllMD5=FEC31833E8D13591BAECE59B8E39F53C,SHA256=424BAEA0DC8EF34305A881F9B36F22E8CFECA403A0D03B61782D69535387A401,IMPHASH=B073DE28C43175420FE754415439CCEAtrueMicrosoft WindowsValid 734700x80000000000000007989531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.499{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\KBDUS.DLL10.0.14393.0 (rs1_release.160715-1616)United States Keyboard LayoutMicrosoft® Windows® Operating SystemMicrosoft Corporationkbdus.dllMD5=974F03FF3BDB6786F890329340E29CFF,SHA256=D02BCC19AB89EE188DD31D17DEBAECDE26CFC0B30B6E5B0CC5889CCC85202E63,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007989530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.499{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=5541A4A7FB64063F8AFB192ABD4DAE70,SHA256=AABF2E6C392F29B77F076BF705976B68B3100138BC63060335BD154B8417754D,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x80000000000000007989529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.343{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\dwmcore.dll10.0.14393.3297 (rs1_release_1.191001-1045)Microsoft DWM Core LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationdwmcoreMD5=03C407A9E53E7F5B008408EE7DD98C49,SHA256=128569219AE53C10BBF6630E2CEF5CAEE94EEE53D149EAB67B8FE527C77C73F5,IMPHASH=3574E7EBEB7B8AD883019C49AAEB6220trueMicrosoft WindowsValid 734700x80000000000000007989528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.468{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x80000000000000007989527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.468{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\rdsdwmdr.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Remote Desktop Services Desktop Composition ComponentMicrosoft® Windows® Operating SystemMicrosoft Corporationrdsdwmdr.dllMD5=8AB1C043AEA9B8E3E69F66FA2D6D0902,SHA256=6405F183B338D172526735F3C68A22E6D927EF62EF2B8D184E8702525B08C529,IMPHASH=C6DD7624FA229BF9070263DE7139C105trueMicrosoft WindowsValid 734700x80000000000000007989526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.343{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 10341000x80000000000000007989525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.452{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.452{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007989523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.343{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\dcomp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft DirectComposition LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdcomp.dllMD5=40873566DBFF13981CA1AE23AC281C5D,SHA256=E52C4619C837358454B969D31E2E14ACDEDABB384272D48C03E4F0AF9A2C2B6E,IMPHASH=9651C547656809410E78B358203C1A1DtrueMicrosoft WindowsValid 10341000x80000000000000007989522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.437{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.437{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.437{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570,IMPHASH=2E790E44628AED89C2CC17E1E4A5CE1CtrueMicrosoft WindowsValid 734700x80000000000000007989519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.437{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x80000000000000007989518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.327{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\globinputhost.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows Globalization Extension API for InputMicrosoft® Windows® Operating SystemMicrosoft Corporationglobinputhost.dllMD5=B92070EB12AF4C292155EBB155A0B6C3,SHA256=F155CFD56DC7199F16377259C55C0E8A26662A81588264F01D0E1F1387721DDC,IMPHASH=AB0E9B104017117F7BE18F3C6AAC279AtrueMicrosoft WindowsValid 734700x80000000000000007989517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.437{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x80000000000000007989516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.327{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\MrmCoreR.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows MRMMicrosoft® Windows® Operating SystemMicrosoft CorporationMrmCore.dllMD5=D730B5700BEB4A7E6E4244684356739C,SHA256=26083BEB490E48F5711D69A0E597B7A4CC6FB4B31EDCD535A0FF0DFBE4E6F8DD,IMPHASH=462A9FA6F44F25C68798F197AC8EC9D9trueMicrosoft WindowsValid 734700x80000000000000007989515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.327{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\dxgi.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3C32D763740C83DB2C44DEA4B6F18C54,SHA256=ED26DBB9C3656767CA25887CDC3B45CF978AFC75E064FF5457A36C7A69E55223,IMPHASH=83736A76214A92F5C1B53248D0C22863trueMicrosoft WindowsValid 734700x80000000000000007989514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.327{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\Winlangdb.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows Bcp47 Language DatabaseMicrosoft® Windows® Operating SystemMicrosoft CorporationWinlangdb.dllMD5=50E4D5039A8CDC4A6B540FCA4584CDBD,SHA256=AEF4A7FDBF3D97CAA5750A3779246AF5E562176179153B356689A0E3FC5BB444,IMPHASH=E258085E2BBA36D50AAE0D0E18AC11EAtrueMicrosoft WindowsValid 734700x80000000000000007989513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.312{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\uDWM.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationudwm.dllMD5=92156F4F346EEF68A638B377310E5A44,SHA256=1ACA1754494BC261C5AE9891F3CDFE9A9060D1F882858B9087E6365C9572D360,IMPHASH=4454B28575E3D261B0B850E37D02A98DtrueMicrosoft WindowsValid 734700x80000000000000007989512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.374{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x80000000000000007989511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.312{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.UI.XamlHost.dll10.0.14393.4169 (rs1_release.210107-1130)XAML HostMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.XamlHost.dllMD5=3EF300C64E57C482FEC2A62454CC45BC,SHA256=CED0EEE32D019EAF1BE70190B87FA9858054DEE20DE77EF0BDC67C2B8B0DD669,IMPHASH=76C7A23349305BC2F339502E1330DC92trueMicrosoft WindowsValid 734700x80000000000000007989510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.312{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x80000000000000007989509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.359{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x80000000000000007989508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.312{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\dwmredir.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft Desktop Window Manager Redirection ComponentMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmredir.dllMD5=05B2A35A72410F77A402FA5B76CF2086,SHA256=13F6D45C49526D75A2E781E59E0C73DF7774579BEF684782B5A283926F8D390E,IMPHASH=EB1A8B672979894B61A21251DA6441A6trueMicrosoft WindowsValid 10341000x80000000000000007989507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.359{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.359{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.312{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\wincorlib.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows ® WinRT core libraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwincorlib.DLLMD5=F08F4542548A5CD4F521491164598021,SHA256=D60844E5A091DD42CB1BC03CA76B8BBAF55C5B1A9EC3F1403AB241DDE36CA630,IMPHASH=7118E177B350BBAD51DE9533CF52B852trueMicrosoft WindowsValid 10341000x80000000000000007989504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.359{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.359{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.359{3BF36828-DD0D-60DD-0F00-00000000C801}3442016C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.359{3BF36828-DD0D-60DD-0F00-00000000C801}3441364C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\system32\dwm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.359{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x80000000000000007989499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.359{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x80000000000000007989498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.312{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117,IMPHASH=BF1AF19CCBABA6D54178C43BE36CD985trueMicrosoft WindowsValid 734700x80000000000000007989497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.312{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.UI.Logon.dll10.0.14393.4402 (rs1_release.210426-1725)Logon User ExperienceMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.Logon.dllMD5=30C95AED65FA45F9EFF52E3C530C63D6,SHA256=9E8EE30967269AC252D9DA33E45DFCE540676F5A6E730B88FE843E48EBE49457,IMPHASH=54FBE131063E4D40AC82419379C61133trueMicrosoft WindowsValid 10341000x80000000000000007989496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.343{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.343{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007989494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.343{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007989493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.343{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007989492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.343{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007989491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.343{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007989490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.312{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exeMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542trueMicrosoft WindowsValid 10341000x80000000000000007989489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.312{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.312{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.312{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.312{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.312{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.312{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.312{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8,IMPHASH=BC8DDE4D2412D48001350313FD2B7840trueMicrosoft WindowsValid 734700x80000000000000007989482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.312{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\BCP47Langs.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)BCP47 Language ClassesMicrosoft® Windows® Operating SystemMicrosoft CorporationBCP47Lang.dllMD5=F688C2B9DD2EB56C3B0312B6380338AA,SHA256=B22DB210486D3B5F4EEB17900C5E7AA0EEFEDBB068A0C4858EFE9F8018C34628,IMPHASH=31EA1856BC7597303D8126028BBFDFB8trueMicrosoft WindowsValid 734700x80000000000000007989481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.312{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117,IMPHASH=BF1AF19CCBABA6D54178C43BE36CD985trueMicrosoft WindowsValid 734700x80000000000000007989480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.312{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007989479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.312{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007989478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.312{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007989477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.312{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007989476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.312{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007989475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.312{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007989474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.312{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007989473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.312{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007989472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.312{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007989471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.312{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007989470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.312{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BAB,IMPHASH=AD7CEB919D43FA2BD394EC803EB6BCDAtrueMicrosoft WindowsValid 734700x80000000000000007989469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.312{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007989468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.312{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007989467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.312{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007989466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.281{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\sppc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationsppc.dllMD5=7CF84329545035CC0833119C7268A620,SHA256=49E3FA8B9F9ACB1A2CEDE37970361316C93286CEE7F70DE5985E7135498A4210,IMPHASH=BC4A2B9355432144727A5322381AB386trueMicrosoft WindowsValid 10341000x80000000000000007989465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.296{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.296{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.296{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.296{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.296{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.296{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.296{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.296{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.296{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.296{3BF36828-E8A8-60DD-F501-00000000C801}25762064C:\Windows\system32\csrss.exe{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007989455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.296{3BF36828-E8A8-60DD-F601-00000000C801}4416968C:\Windows\system32\winlogon.exe{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007989454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.305{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-2{3BF36828-E8A9-60DD-6E00-180000000000}0x18006e2SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000007989453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.296{3BF36828-DD0B-60DD-0B00-00000000C801}652860C:\Windows\system32\lsass.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1b160|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.296{3BF36828-DD0B-60DD-0B00-00000000C801}652860C:\Windows\system32\lsass.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.296{3BF36828-DD0B-60DD-0B00-00000000C801}652860C:\Windows\system32\lsass.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.281{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\slc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationslc.dllMD5=060E11DCB875D981E948073986E295DC,SHA256=30858EA58F24537CC3369091F92AD70C59877BDB1FDF8DEC7762A7AB72DDE885,IMPHASH=70AAA0F56F084D1AE09EB5CD51B268ECtrueMicrosoft WindowsValid 734700x80000000000000007989449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.281{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\LogonController.dll10.0.14393.4169 (rs1_release.210107-1130)Logon UX ControllerMicrosoft® Windows® Operating SystemMicrosoft CorporationLogonController.dllMD5=EEFFA85317E0C7483D747B7C0F20ED38,SHA256=6DC57621059816648A4D438874A29C3F697A86EFC8B04E2945F2C74733DB28A5,IMPHASH=B3F665DED064F7C7E844A2E67FA0267DtrueMicrosoft WindowsValid 734700x80000000000000007989448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.281{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570,IMPHASH=2E790E44628AED89C2CC17E1E4A5CE1CtrueMicrosoft WindowsValid 10341000x80000000000000007989447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.281{3BF36828-E8A9-60DD-F701-00000000C801}1708424C:\Windows\system32\LogonUI.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.281{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007989445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.281{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FE,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x80000000000000007989444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.281{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x80000000000000007989443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.281{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007989442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.281{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x80000000000000007989441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.281{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x80000000000000007989440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.281{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007989439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.281{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x80000000000000007989438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.281{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x80000000000000007989437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.281{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x80000000000000007989436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.265{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x80000000000000007989435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.265{3BF36828-DD0D-60DD-0F00-00000000C801}3442016C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.265{3BF36828-DD0D-60DD-0F00-00000000C801}3441364C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.265{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x80000000000000007989432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.265{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x80000000000000007989431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.265{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exeMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3trueMicrosoft WindowsValid 734700x80000000000000007989430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.265{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007989429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.265{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007989428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.265{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007989427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.265{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007989426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.265{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007989425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.265{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007989424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.265{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007989423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.265{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007989422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.265{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007989421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.265{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007989420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.265{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007989419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.265{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007989418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.265{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.265{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.265{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007989415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.265{3BF36828-E8A8-60DD-F501-00000000C801}2576C:\Windows\System32\csrss.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007989414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.265{3BF36828-E8A8-60DD-F501-00000000C801}2576C:\Windows\System32\csrss.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 10341000x80000000000000007989413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.249{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.249{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.249{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.249{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\dwminit.dll10.0.14393.2273 (rs1_release_1.180427-1811)DWMInitMicrosoft® Windows® Operating SystemMicrosoft CorporationDWMInit.DLLMD5=2F84B6415D918374A67E50BCE01C3CA2,SHA256=D6A64DE0BFDD504D9C57760F8847EEB3F637774D958BD9D52F000B66EB2AD9D2,IMPHASH=8A9252872C3861ED35BE90BB3A9E6429trueMicrosoft WindowsValid 10341000x80000000000000007989409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.249{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.249{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.249{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.249{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.249{3BF36828-E8A8-60DD-F501-00000000C801}2576C:\Windows\System32\csrss.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0,IMPHASH=FED414075FF3F23F21C898B1860393B4trueMicrosoft WindowsValid 10341000x80000000000000007989404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.249{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.249{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.249{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.249{3BF36828-E8A8-60DD-F501-00000000C801}25762064C:\Windows\system32\csrss.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007989400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.249{3BF36828-DD0B-60DD-0B00-00000000C801}652860C:\Windows\system32\lsass.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.249{3BF36828-E8A8-60DD-F601-00000000C801}44162252C:\Windows\system32\winlogon.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.249{3BF36828-DD0B-60DD-0B00-00000000C801}652860C:\Windows\system32\lsass.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007989397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.263{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3a68055 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e72SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000007989396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.249{3BF36828-DD0B-60DD-0B00-00000000C801}652860C:\Windows\system32\lsass.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.249{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 10341000x80000000000000007989394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.249{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.249{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.249{3BF36828-DD0D-60DD-0F00-00000000C801}3442016C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.249{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\UXInit.dll10.0.14393.0 (rs1_release.160715-1616)Windows User Experience Session Initialization DllMicrosoft® Windows® Operating SystemMicrosoft CorporationUXINIT.DLLMD5=3803D95BBCB88A09B1F4043F77B0A52C,SHA256=C7B7522CA9BA3F683ADCFB20AE30533B34E4FC91BEDD283E93D0B733E6B97049,IMPHASH=ED2AB7D8E1273F7C87D4CE77B3E62340trueMicrosoft WindowsValid 734700x80000000000000007989390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.249{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 10341000x80000000000000007989389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.249{3BF36828-DD0D-60DD-0F00-00000000C801}3442016C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.249{3BF36828-DD0D-60DD-0F00-00000000C801}3441364C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.249{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 10341000x80000000000000007989386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.249{3BF36828-DD0D-60DD-0F00-00000000C801}3442016C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.249{3BF36828-DD0D-60DD-0F00-00000000C801}3441364C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.249{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x80000000000000007989383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.234{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\KBDUS.DLL10.0.14393.0 (rs1_release.160715-1616)United States Keyboard LayoutMicrosoft® Windows® Operating SystemMicrosoft Corporationkbdus.dllMD5=974F03FF3BDB6786F890329340E29CFF,SHA256=D02BCC19AB89EE188DD31D17DEBAECDE26CFC0B30B6E5B0CC5889CCC85202E63,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007989382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.234{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\KBDUS.DLL10.0.14393.0 (rs1_release.160715-1616)United States Keyboard LayoutMicrosoft® Windows® Operating SystemMicrosoft Corporationkbdus.dllMD5=974F03FF3BDB6786F890329340E29CFF,SHA256=D02BCC19AB89EE188DD31D17DEBAECDE26CFC0B30B6E5B0CC5889CCC85202E63,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007989381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.202{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\KBDUS.DLL10.0.14393.0 (rs1_release.160715-1616)United States Keyboard LayoutMicrosoft® Windows® Operating SystemMicrosoft Corporationkbdus.dllMD5=974F03FF3BDB6786F890329340E29CFF,SHA256=D02BCC19AB89EE188DD31D17DEBAECDE26CFC0B30B6E5B0CC5889CCC85202E63,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007989380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.202{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8,IMPHASH=BC8DDE4D2412D48001350313FD2B7840trueMicrosoft WindowsValid 734700x80000000000000007989379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.202{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007989378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.202{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007989377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.202{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007989376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.202{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007989375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.187{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x80000000000000007989374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.187{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007989373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.187{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007989372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.187{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007989371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.187{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007989370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.171{3BF36828-E8A8-60DD-F501-00000000C801}2576668C:\Windows\system32\csrss.exe{3BF36828-DD0D-60DD-1000-00000000C801}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5178f 354300x80000000000000007989369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:10.764{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62214-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007989368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:10.764{3BF36828-DD1D-60DD-2F00-00000000C801}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62214-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007989367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:10.374{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62213-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:13.389{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=006E28D68D17B611ECE0A71CD8A63E25,SHA256=D8EB7C3CF6F523263697015898627680A91A9D60E8405CF6B388628825228D7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007990419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-DD0C-60DD-0C00-00000000C801}864C:\Windows\System32\svchost.exeC:\Windows\System32\ACPBackgroundManagerPolicy.dll10.0.14393.4169 (rs1_release.210107-1130)<d> ACP Background Manager Policy DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationACPBackgroundManagerPolicy.dllMD5=9F078C11A3C742805A5ADBBE9193ED82,SHA256=032714E159568A3340748431270EF6B782764C77EFD635692D0B00BE53D5A214,IMPHASH=68851D5EC90E4C2E5B17C1051E1D66E0trueMicrosoft WindowsValid 734700x80000000000000007990418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.749{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\notificationplatformcomponent.dll10.0.14393.4169 (rs1_release.210107-1130)NotificationPlatformComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationNotificationPlatformComponentMD5=6B6EB130EF7E0F2E98B45F2BE465E203,SHA256=EE8CC1F3DCE0F39EEB4682C977596162E117221908238C3CBC6824ED6B14630A,IMPHASH=0BCBF883292F76AEDADDC40DC5A349F3trueMicrosoft WindowsValid 734700x80000000000000007990417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.749{3BF36828-DD0C-60DD-0C00-00000000C801}864C:\Windows\System32\svchost.exeC:\Windows\System32\BackgroundMediaPolicy.dll10.0.14393.4169 (rs1_release.210107-1130)<d> Background Media Policy DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationBackgroundMediaPolicy.dllMD5=A8ED9FB3A4D2D265C994EA69D15EB51B,SHA256=71792A30091BFAAAF0D210CA2C3445421E67561F24D341A05D9714BD980D3A01,IMPHASH=7C859C4B1D79EAE83064D0157EECD9B1trueMicrosoft WindowsValid 734700x80000000000000007990416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.937{3BF36828-E8AA-60DD-0402-00000000C801}2060C:\Windows\System32\userinit.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570,IMPHASH=2E790E44628AED89C2CC17E1E4A5CE1CtrueMicrosoft WindowsValid 10341000x80000000000000007990415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.937{3BF36828-DD0D-60DD-0F00-00000000C801}3442296C:\Windows\system32\svchost.exe{3BF36828-E8AA-60DD-0402-00000000C801}2060C:\Windows\system32\userinit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.937{3BF36828-DD0D-60DD-0F00-00000000C801}3441364C:\Windows\system32\svchost.exe{3BF36828-E8AA-60DD-0402-00000000C801}2060C:\Windows\system32\userinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.937{3BF36828-E8AA-60DD-0402-00000000C801}2060C:\Windows\System32\userinit.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007990412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.937{3BF36828-E8AA-60DD-0402-00000000C801}2060C:\Windows\System32\userinit.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007990411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.937{3BF36828-E8AA-60DD-0402-00000000C801}2060C:\Windows\System32\userinit.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x80000000000000007990410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.937{3BF36828-E8AA-60DD-0402-00000000C801}2060C:\Windows\System32\userinit.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x80000000000000007990409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.937{3BF36828-E8AA-60DD-0402-00000000C801}2060C:\Windows\System32\userinit.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007990408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.937{3BF36828-E8AA-60DD-0402-00000000C801}2060C:\Windows\System32\userinit.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007990407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.937{3BF36828-E8AA-60DD-0402-00000000C801}2060C:\Windows\System32\userinit.exeC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FE,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x80000000000000007990406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.749{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\WindowManagement.dll10.0.14393.4169 (rs1_release.210107-1130)Window ManagementMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowManagement.dllMD5=EB7CA0304AAF49EFDD898FC7435260B3,SHA256=BB2F8D81E8CDAD44DB55D18034A88A5CAF2FD95A4D929868F390EF734CA8BEBB,IMPHASH=ABFA5162DF4EF9A162E627EE90329298trueMicrosoft WindowsValid 734700x80000000000000007990405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.921{3BF36828-E8AA-60DD-0402-00000000C801}2060C:\Windows\System32\userinit.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x80000000000000007990404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.921{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.921{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.921{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.921{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.921{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.921{3BF36828-E8A8-60DD-F501-00000000C801}25762064C:\Windows\system32\csrss.exe{3BF36828-E8AA-60DD-0402-00000000C801}2060C:\Windows\system32\userinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007990398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.921{3BF36828-E8A8-60DD-F601-00000000C801}44161228C:\Windows\system32\winlogon.exe{3BF36828-E8AA-60DD-0402-00000000C801}2060C:\Windows\system32\userinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+15b13|C:\Windows\system32\winlogon.exe+ea76|C:\Windows\system32\winlogon.exe+b12f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007990397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.926{3BF36828-E8AA-60DD-0402-00000000C801}2060C:\Windows\System32\userinit.exe10.0.14393.0 (rs1_release.160715-1616)Userinit Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationUSERINIT.EXEC:\Windows\system32\userinit.exeC:\Windows\system32\ATTACKRANGE\Administrator{3BF36828-E8A9-60DD-F846-180000000000}0x1846f82HighMD5=C1B1FFC800BE2F31EB2CF8CB40629C69,SHA256=CFC6A18FC8FE7447ECD491345A32F0F10208F114B70A0E9D1CD72F6070D5B36F,IMPHASH=BFA137B16F3492AFCA0551687B067C04{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exewinlogon.exe 734700x80000000000000007990396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.749{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\Windows.Security.Authentication.Web.Core.dll10.0.14393.4169 (rs1_release.210107-1130)Token Broker WinRT APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Security.Authentication.Web.Core.dllMD5=E3AB65431FF6EA142FECF301220904D0,SHA256=60F168A317109BA364699F1FA1A2DDD8E5B0008A16CD7F1DB80583848DFCA7CF,IMPHASH=5D6DEAB27561AE10405A1329A2A1D871trueMicrosoft WindowsValid 10341000x80000000000000007990395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.921{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.906{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007990393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.749{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\ExecModelClient.dll10.0.14393.4169 (rs1_release.210107-1130)ExecModelClientMicrosoft® Windows® Operating SystemMicrosoft CorporationExecModelClient.dllMD5=178BCB2B937C94CA144C326FD678A322,SHA256=932D0710FD612EDBE2D0433ABE294AD17D23CB8D43DE7F4CD8E01C58D279C1CE,IMPHASH=B1099E1B098B6F4C7DC6D071206DFC70trueMicrosoft WindowsValid 734700x80000000000000007990392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.734{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\TextInputFramework.dll10.0.14393.4169 (rs1_release.210107-1130)"TextInputFramework.DYNLINK"Microsoft® Windows® Operating SystemMicrosoft Corporation"TextInputFramework.DYNLINK"MD5=A5D471D5AA5008C13D15681FC09706DF,SHA256=16033864F3B5FFFB0A5E198CEE57840A21415E4BDB16D7B9A430CED8A8FFE687,IMPHASH=4B3A790624F27F9554D88782F051B709trueMicrosoft WindowsValid 734700x80000000000000007990391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.890{3BF36828-DD0D-60DD-1200-00000000C801}396C:\Windows\System32\svchost.exeC:\Windows\System32\OneCoreCommonProxyStub.dll10.0.14393.2395 (rs1_release_inmarket.180714-1932)OneCore Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreCommonProxyStub.dllMD5=02CEC1566FB0709923FF7A9FEC254D96,SHA256=81BED60AEB79C489E9F79996A3F0AB626E6CA247EBB656B6B9897C47A39F6AFB,IMPHASH=69A8B7E9F373278F52FE45A83CE3A380trueMicrosoft WindowsValid 734700x80000000000000007990390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.718{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\cdprt.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft (R) CDP Client WinRT APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcdprt.dllMD5=6443C0E329DA3DB8B686AB8BEF8E183B,SHA256=B2177F7843D9B930090B38D4C7E02FA7B1EDB63E900AB2C82E7425F53C7C4B5B,IMPHASH=388C6512410E6775B199D829CBAD2B2BtrueMicrosoft WindowsValid 734700x80000000000000007990389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.781{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\System32\svchost.exeC:\Windows\System32\cdprt.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft (R) CDP Client WinRT APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcdprt.dllMD5=6443C0E329DA3DB8B686AB8BEF8E183B,SHA256=B2177F7843D9B930090B38D4C7E02FA7B1EDB63E900AB2C82E7425F53C7C4B5B,IMPHASH=388C6512410E6775B199D829CBAD2B2BtrueMicrosoft WindowsValid 734700x80000000000000007990388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.890{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\OneCoreCommonProxyStub.dll10.0.14393.2395 (rs1_release_inmarket.180714-1932)OneCore Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreCommonProxyStub.dllMD5=02CEC1566FB0709923FF7A9FEC254D96,SHA256=81BED60AEB79C489E9F79996A3F0AB626E6CA247EBB656B6B9897C47A39F6AFB,IMPHASH=69A8B7E9F373278F52FE45A83CE3A380trueMicrosoft WindowsValid 734700x80000000000000007990387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.890{3BF36828-DD0D-60DD-1200-00000000C801}396C:\Windows\System32\svchost.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BF,IMPHASH=B74E4EE6BBCE405BE73914241C9AF2C8trueMicrosoft WindowsValid 734700x80000000000000007990386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.890{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BF,IMPHASH=B74E4EE6BBCE405BE73914241C9AF2C8trueMicrosoft WindowsValid 734700x80000000000000007990385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.890{3BF36828-DD0D-60DD-1200-00000000C801}396C:\Windows\System32\svchost.exeC:\Windows\System32\usermgrcli.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)UserMgr API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationusermgrcli.dllMD5=53088C541D573FB17068D8C7FE2C91EA,SHA256=20C4124FDB49FA02F9E90B15E9DBA8E0BBD5A82218038AA636FCFAEDEA1B54EA,IMPHASH=5124BA4251101F1719330C2018DBB582trueMicrosoft WindowsValid 734700x80000000000000007990384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.890{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\usermgrcli.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)UserMgr API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationusermgrcli.dllMD5=53088C541D573FB17068D8C7FE2C91EA,SHA256=20C4124FDB49FA02F9E90B15E9DBA8E0BBD5A82218038AA636FCFAEDEA1B54EA,IMPHASH=5124BA4251101F1719330C2018DBB582trueMicrosoft WindowsValid 734700x80000000000000007990383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.890{3BF36828-DD0D-60DD-1200-00000000C801}396C:\Windows\System32\svchost.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 734700x80000000000000007990382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.890{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 734700x80000000000000007990381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.890{3BF36828-DD0D-60DD-1200-00000000C801}396C:\Windows\System32\svchost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x80000000000000007990380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.718{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\EditBufferTestHook.dll10.0.14393.4169 (rs1_release.210107-1130)"EditBufferTestHook.DYNLINK"Microsoft® Windows® Operating SystemMicrosoft Corporation"EditBufferTestHook.DYNLINK"MD5=E0FABF4F824E29E1A31EFEE76A8E4856,SHA256=3B7F28D02BCBF33B09BD889995B7DC9196775C083708B5C97E1CF513E8BA1381,IMPHASH=C1D3A21BC28B6EBDB2DA5925D96C0F27trueMicrosoft WindowsValid 734700x80000000000000007990379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.874{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\StateRepository.Core.dll10.0.14393.4169 (rs1_release.210107-1130)StateRepository CoreMicrosoft® Windows® Operating SystemMicrosoft CorporationStateRepository.Core.dllMD5=94299201E0B602E4692F61C5A46E32D9,SHA256=D343410FB20D88B74BF661CACADBBD913034D02410A826A84D60B2B66A95A862,IMPHASH=53CA7FAF1CEDFB0EC8CCD763B974D4A1trueMicrosoft WindowsValid 734700x80000000000000007990378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.874{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\Windows.StateRepository.dll10.0.14393.4169 (rs1_release.210107-1130)Windows StateRepository API ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.StateRepository.dllMD5=8F4457905D80A520C684CA48F807C268,SHA256=623299C57C3148EB7B8EE0FE22F2E8A4C7A41712A87D43074E56643BEB84C06A,IMPHASH=A28EA9ED587BD4511849B7BB44021022trueMicrosoft WindowsValid 734700x80000000000000007990377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.874{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\dsclient.dll10.0.14393.0 (rs1_release.160715-1616)Data Sharing Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdsclient.dllMD5=68B9D02A469519C6BFD9F39854EE8E62,SHA256=A7646650AB50D076DBBC6E9B767565DDA71B078814BC2071BA525F118B861883,IMPHASH=F148E4E0D3E37883A6CAB6CEE53CA685trueMicrosoft WindowsValid 734700x80000000000000007990376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.718{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\AppointmentActivation.dll10.0.14393.4169 (rs1_release.210107-1130)DLL for AppointmentActivationMicrosoft® Windows® Operating SystemMicrosoft CorporationAppointmentActivation.dllMD5=BA996CAADC470556B693014107ED4299,SHA256=F82DC6DBB5AD558B54677E0EA241FED03FC922E8430147B0C1D8A5C6B481FEBE,IMPHASH=E9E81191C73A7CEEFA48275B726028A6trueMicrosoft WindowsValid 734700x80000000000000007990375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.874{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\msvcp110_win.dll10.0.14393.2007 (rs1_release.171231-1800)Microsoft® STL110 C++ Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp110_win.dllMD5=BFB390484F611C21582AD11E4C6ADEF2,SHA256=30B5AD268C022FCA2AACAE2CB6E4DC36F6A01C16A006046BB4417CEA96DA4F5A,IMPHASH=80A56C2FEE02149B4E326F9A62FF4B12trueMicrosoft WindowsValid 734700x80000000000000007990374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.874{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\KBDUS.DLL10.0.14393.0 (rs1_release.160715-1616)United States Keyboard LayoutMicrosoft® Windows® Operating SystemMicrosoft Corporationkbdus.dllMD5=974F03FF3BDB6786F890329340E29CFF,SHA256=D02BCC19AB89EE188DD31D17DEBAECDE26CFC0B30B6E5B0CC5889CCC85202E63,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007990373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.718{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\InputService.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Text InputService DllMicrosoft® Windows® Operating SystemMicrosoft CorporationInputService.dllMD5=5FD5967D1FADA6B8709782A9DE2F155F,SHA256=F9330252C81AF67E2B0E1C8CA8EE7B3B3DB04A25249DB7C0BC7CA2C25C0A48F6,IMPHASH=232E0929F2E15D420318B6E57AC6B937trueMicrosoft WindowsValid 734700x80000000000000007990372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.859{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007990371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.859{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x80000000000000007990370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.859{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007990369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.859{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x80000000000000007990368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.859{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x80000000000000007990367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.859{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x80000000000000007990366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.843{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007990365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.843{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\dsrole.dll10.0.14393.0 (rs1_release.160715-1616)DS Setup Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationDSROLE.DLLMD5=2A319EC8DF0FB5C46CF311B9D2B65B1D,SHA256=62B8900EFDF4B30E54E11232A8DA95DBF066DAEFD364A66EB99ADC028A3798F7,IMPHASH=E4AC0A0BD42B7356347D6A1BE150F6A6trueMicrosoft WindowsValid 734700x80000000000000007990364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.827{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 10341000x80000000000000007990363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.827{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007990362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.827{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1000-00000000C801}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x80000000000000007990361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2021-07-01 16:09:14.827{3BF36828-DD0D-60DD-1000-00000000C801}372\TSVCPIPE-ba6792c9-6e4d-400a-aa85-ef891e925242C:\Windows\System32\svchost.exe 734700x80000000000000007990360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.718{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\ActivationManager.dll10.0.14393.4169 (rs1_release.210107-1130)Activation ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationActivationManager.dllMD5=062CD725DACFA556C2E21A47D7BF4C1A,SHA256=786DD34794C3A177B8BCAB663292D57EBEF84952CE4E5AF76D5ABBFD3DF8BF71,IMPHASH=0A876F51BDB4189095BE94F8B067996FtrueMicrosoft WindowsValid 734700x80000000000000007990359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.827{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x80000000000000007990358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.827{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\Windows.Networking.Connectivity.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Networking Connectivity Runtime DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Networking.Connectivity.dllMD5=7934F613774F04B5BFD097B3D77F81FB,SHA256=E1A32AADFED0859269C89D4E1C961D3BC8EA2A5FA86487C9817BB52899E0F60E,IMPHASH=A22E7FE596D3FD4304E9006454C5249BtrueMicrosoft WindowsValid 734700x80000000000000007990357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.827{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355,IMPHASH=FE994282C73F9AB11AC9B6E37AC26B47trueMicrosoft WindowsValid 734700x80000000000000007990356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.827{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\dhcpcsvc.dll10.0.14393.3930 (rs1_release.200901-1914)DHCP Client ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc.dllMD5=CD3B9633BBEF2102C4665A2C39EC0B1A,SHA256=341EFB4806BE39E09AA90CA3B069C39F2A9D61FA9B512350B2721D41875AFCAE,IMPHASH=9A2F821D250C4CEBC0627590331B869DtrueMicrosoft WindowsValid 734700x80000000000000007990355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.827{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\dhcpcsvc6.dll10.0.14393.3930 (rs1_release.200901-1914)DHCPv6 ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc6.dllMD5=1721EAC44BCFC7177AA664ADCA514F23,SHA256=C099BCCE44A04A48147DE8CF093EBF997510154113789BF31394B5148F60B375,IMPHASH=1278B10B4CD792CEC37AF93D76A387ECtrueMicrosoft WindowsValid 734700x80000000000000007990354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.827{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\dsparse.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdsparse.dllMD5=E9B5EFC173FDD55C00B2F28B8BAC144B,SHA256=0CA602484CD0E2C67091FCD60091608BF746B1D05B353DB9805D1CAE0ED09D70,IMPHASH=6FD21A38F62935B130604FF29AA3AFC5trueMicrosoft WindowsValid 734700x80000000000000007990353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.827{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007990352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.827{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x80000000000000007990351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.827{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x80000000000000007990350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.702{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\rmclient.dll10.0.14393.4169 (rs1_release.210107-1130)Resource Manager ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationrmclient.dllMD5=D3ABCEC776B1B1D7457A2E8E05F79EE3,SHA256=C368321C5BB811D937E8ABDD2BC3EB959BB8B65F49C104B5AD746129E4E5D169,IMPHASH=FE4203B37BF9B6CEA63D659FD081E423trueMicrosoft WindowsValid 734700x80000000000000007990349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.734{3BF36828-DD0C-60DD-0C00-00000000C801}864C:\Windows\System32\svchost.exeC:\Windows\System32\rmclient.dll10.0.14393.4169 (rs1_release.210107-1130)Resource Manager ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationrmclient.dllMD5=D3ABCEC776B1B1D7457A2E8E05F79EE3,SHA256=C368321C5BB811D937E8ABDD2BC3EB959BB8B65F49C104B5AD746129E4E5D169,IMPHASH=FE4203B37BF9B6CEA63D659FD081E423trueMicrosoft WindowsValid 734700x80000000000000007990348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.702{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\cdp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft (R) CDP Client APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCDP.dllMD5=97BCD0CFB8C9A7133688C1683B8BB049,SHA256=A4DCBC842B5D97DBE298130BA97D329085B992F15B9FC4C2F78871826618CD80,IMPHASH=BA9A45255BAE8B363B6B657A12E44278trueMicrosoft WindowsValid 734700x80000000000000007990347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.812{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\System32\svchost.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 10341000x80000000000000007990346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.796{3BF36828-DD0D-60DD-1300-00000000C801}960728C:\Windows\System32\svchost.exe{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+1969|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.796{3BF36828-DD0D-60DD-1300-00000000C801}960728C:\Windows\System32\svchost.exe{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\ncbservice.dll+165c|c:\windows\system32\ncbservice.dll+227a|c:\windows\system32\ncbservice.dll+205e|c:\windows\system32\ncbservice.dll+1bdb|c:\windows\system32\ncbservice.dll+181b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.796{3BF36828-DD0D-60DD-1300-00000000C801}960728C:\Windows\System32\svchost.exe{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+17cf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.796{3BF36828-DD0D-60DD-1300-00000000C801}960728C:\Windows\System32\svchost.exe{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.796{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\System32\svchost.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007990341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.796{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\esent.dll10.0.14393.3686 (rs1_release.200504-1524)Extensible Storage Engine for Microsoft(R) Windows(R)Microsoft® Windows® Operating SystemMicrosoft Corporationesent.dllMD5=372653326F31FCCA92A05331BCC8C95D,SHA256=B300AF0A4651A44C4D7D344033EB6317480CEF6F9E24BE1B34DA75A1B00C1807,IMPHASH=637BF97067C7F0AB1E14497F0B9878AAtrueMicrosoft WindowsValid 734700x80000000000000007990340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.796{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\System32\svchost.exeC:\Windows\System32\Windows.Networking.Connectivity.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Networking Connectivity Runtime DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Networking.Connectivity.dllMD5=7934F613774F04B5BFD097B3D77F81FB,SHA256=E1A32AADFED0859269C89D4E1C961D3BC8EA2A5FA86487C9817BB52899E0F60E,IMPHASH=A22E7FE596D3FD4304E9006454C5249BtrueMicrosoft WindowsValid 734700x80000000000000007990339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.781{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\System32\svchost.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355,IMPHASH=FE994282C73F9AB11AC9B6E37AC26B47trueMicrosoft WindowsValid 734700x80000000000000007990338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.781{3BF36828-DD0C-60DD-0C00-00000000C801}864C:\Windows\System32\svchost.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 10341000x80000000000000007990337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.781{3BF36828-DD0D-60DD-1300-00000000C801}960728C:\Windows\System32\svchost.exe{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.781{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\netprofm.dll10.0.14393.4169 (rs1_release.210107-1130)Network List ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationnetprofm.dllMD5=02AD37C3C2D54BCD9E7BD2AFF3D6E7A6,SHA256=D71D631EC1790A9BD9451EFAEFC7EBADE6353A17CDBB4D8AAACD3102430A686E,IMPHASH=421DFA99869D231800F1E7ABEE7E4DA4trueMicrosoft WindowsValid 10341000x80000000000000007990335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.781{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.781{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.781{3BF36828-DD0C-60DD-0C00-00000000C801}864C:\Windows\System32\svchost.exeC:\Windows\System32\OneCoreCommonProxyStub.dll10.0.14393.2395 (rs1_release_inmarket.180714-1932)OneCore Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreCommonProxyStub.dllMD5=02CEC1566FB0709923FF7A9FEC254D96,SHA256=81BED60AEB79C489E9F79996A3F0AB626E6CA247EBB656B6B9897C47A39F6AFB,IMPHASH=69A8B7E9F373278F52FE45A83CE3A380trueMicrosoft WindowsValid 10341000x80000000000000007990332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.781{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.781{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\OneCoreCommonProxyStub.dll10.0.14393.2395 (rs1_release_inmarket.180714-1932)OneCore Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreCommonProxyStub.dllMD5=02CEC1566FB0709923FF7A9FEC254D96,SHA256=81BED60AEB79C489E9F79996A3F0AB626E6CA247EBB656B6B9897C47A39F6AFB,IMPHASH=69A8B7E9F373278F52FE45A83CE3A380trueMicrosoft WindowsValid 734700x80000000000000007990330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.781{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x80000000000000007990329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.781{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.781{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.781{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x80000000000000007990326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.781{3BF36828-DD0C-60DD-0C00-00000000C801}864C:\Windows\System32\svchost.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BF,IMPHASH=B74E4EE6BBCE405BE73914241C9AF2C8trueMicrosoft WindowsValid 734700x80000000000000007990325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.781{3BF36828-DD0C-60DD-0C00-00000000C801}864C:\Windows\System32\svchost.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007990324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.781{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x80000000000000007990323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007990322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007990321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007990320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007990319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007990318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007990317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x80000000000000007990316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=5541A4A7FB64063F8AFB192ABD4DAE70,SHA256=AABF2E6C392F29B77F076BF705976B68B3100138BC63060335BD154B8417754D,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 10341000x80000000000000007990315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-E8AA-60DD-FC01-00000000C801}34883768C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61acc|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000007990314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-E8AA-60DD-FC01-00000000C801}34883768C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61acc|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 734700x80000000000000007990313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\OneCoreCommonProxyStub.dll10.0.14393.2395 (rs1_release_inmarket.180714-1932)OneCore Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreCommonProxyStub.dllMD5=02CEC1566FB0709923FF7A9FEC254D96,SHA256=81BED60AEB79C489E9F79996A3F0AB626E6CA247EBB656B6B9897C47A39F6AFB,IMPHASH=69A8B7E9F373278F52FE45A83CE3A380trueMicrosoft WindowsValid 734700x80000000000000007990312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007990311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007990310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007990309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007990308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007990307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007990306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007990305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007990304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007990303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007990302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\taskhostw.exe10.0.14393.3297 (rs1_release_1.191001-1045)Host Process for Windows TasksMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskhostw.exeMD5=B5D41CD8E27C26DA82B11B277D233B04,SHA256=1876990EEBC99F0B0F66BEC435FE2810E450532E23E22427DA31A09802394461,IMPHASH=1CCD2E7A159E4500473733FB9D75028BtrueMicrosoft WindowsValid 10341000x80000000000000007990301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BAB,IMPHASH=AD7CEB919D43FA2BD394EC803EB6BCDAtrueMicrosoft WindowsValid 734700x80000000000000007990296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\tokenbinding.dll10.0.14393.2363 (rs1_release.180625-1741)Token Binding ProtocolMicrosoft® Windows® Operating SystemMicrosoft Corporationtokenbinding.dllMD5=8AD65F608FD6964085B365A43F8DBEA4,SHA256=E088353C88877763D4E5BB6EB7FB55C81908DF639A9AF89EECA546FD9EDB18DE,IMPHASH=EDBDD2E193CED10C0D380B250BFC13C5trueMicrosoft WindowsValid 734700x80000000000000007990295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\TokenBroker.dll10.0.14393.4169 (rs1_release.210107-1130)Token BrokerMicrosoft® Windows® Operating SystemMicrosoft CorporationTokenBroker.dllMD5=9ECF3BE652A6FF4B5C4744697FDDABA2,SHA256=00DF6190CBF64C8840C1B9068A844D4A6584E6D82C8C6FD78CFDB10184F815C7,IMPHASH=F91C8ACC62DFD3D725FAC2A0CBB6AA8FtrueMicrosoft WindowsValid 734700x80000000000000007990294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007990293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\vaultcli.dll10.0.14393.4169 (rs1_release.210107-1130)Credential Vault Client LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationvaultcli.dllMD5=3A4413FEB384CA47420B1A7CB9099BF0,SHA256=338D718FF68D1ACF8AFC366E923B44128E821DDD50A9C282A5F55502BAF288FA,IMPHASH=E0B17C1B749544B11E7164BC8880263EtrueMicrosoft WindowsValid 734700x80000000000000007990292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.749{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\UserMgrProxy.dll10.0.14393.4283 (rs1_release.210303-1802)UserMgrProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationusermgrproxy.dllMD5=AF3700CF9AAABABA08470416F00B7036,SHA256=8F1595F1AF0DECA3FBAE25E8FC2409ABC9C976EE2BB5B567B0E2FD33CBF4F22C,IMPHASH=F199335708837C17195EBB8AF4E3B0EFtrueMicrosoft WindowsValid 734700x80000000000000007990291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.749{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=5541A4A7FB64063F8AFB192ABD4DAE70,SHA256=AABF2E6C392F29B77F076BF705976B68B3100138BC63060335BD154B8417754D,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x80000000000000007990290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.702{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\ClipboardServer.dll10.0.14393.4169 (rs1_release.210107-1130)Modern Clipboard API ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationClipboardServer.dllMD5=746D74D06EE53B629C674A2EC1596714,SHA256=B443C7FD47990DDD6B6903570E0D388BC8EA126E048AB0651F86C384811A06B3,IMPHASH=E357F2AE8C133BCE2A82223C802A075AtrueMicrosoft WindowsValid 734700x80000000000000007990289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.749{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 734700x80000000000000007990288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.749{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\WinTypes.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=AAA321C636929D23C58B5A78EDA04B61,SHA256=E33D62CC132B8D790B3604DBE227CD2A270E30C1B71881BB4E3B00732CE56E5C,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 734700x80000000000000007990287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.749{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007990286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.749{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 10341000x80000000000000007990285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.749{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.749{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.749{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+3a1a|c:\windows\system32\SYSNTFY.dll+1e8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.749{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.749{3BF36828-DD0D-60DD-0F00-00000000C801}3441704C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\sessenv.dll+3de88|c:\windows\system32\sessenv.dll+f881|c:\windows\system32\sessenv.dll+677c|c:\windows\system32\SYSNTFY.dll+1e8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.749{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6,IMPHASH=46ADE2B067E724C7163A0B1902FEF225trueMicrosoft WindowsValid 734700x80000000000000007990279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\msutb.dll10.0.14393.953 (rs1_release_inmarket.170303-1614)MSUTB Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSUTB.DLLMD5=17CD28B5081E8C9D25228987EDD4E4F4,SHA256=7AA14D2F375CCB4A57053144BC826132938C66ADDB282C940F736F3C6E358DA5,IMPHASH=C2050C3A907779B8B143FA73DD6A1241trueMicrosoft WindowsValid 734700x80000000000000007990278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.734{3BF36828-DD0C-60DD-0C00-00000000C801}864C:\Windows\System32\svchost.exeC:\Windows\System32\OneCoreUAPCommonProxyStub.dll10.0.14393.3808 (rs1_release.200707-2105)OneCoreUAP Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreUAPCommonProxyStub.dllMD5=9F8EF1431E82015CD1918582A770DB35,SHA256=FC2073DCE9AC41DBF338FAFE85F2429D6D3812573D2192C7A906C1D46E0AB4FA,IMPHASH=D919FF32201FBB7C5B3EF498D589EAE4trueMicrosoft WindowsValid 18141800x80000000000000007990277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2021-07-01 16:09:14.734{3BF36828-DD0D-60DD-1000-00000000C801}372\TSVCPIPE-ba6792c9-6e4d-400a-aa85-ef891e925242C:\Windows\System32\svchost.exe 734700x80000000000000007990276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.734{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\OneCoreUAPCommonProxyStub.dll10.0.14393.3808 (rs1_release.200707-2105)OneCoreUAP Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreUAPCommonProxyStub.dllMD5=9F8EF1431E82015CD1918582A770DB35,SHA256=FC2073DCE9AC41DBF338FAFE85F2429D6D3812573D2192C7A906C1D46E0AB4FA,IMPHASH=D919FF32201FBB7C5B3EF498D589EAE4trueMicrosoft WindowsValid 734700x80000000000000007990275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.734{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=D8CD8451D1E194230F18866AD6EFE5E7,SHA256=9977AA1287962035C24DF806DDA67F09FFE9BDF696DBA507D749C624AE1C178D,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x80000000000000007990274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.734{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x80000000000000007990273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.734{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x80000000000000007990272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.734{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007990271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.734{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007990270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\modernexecserver.dll10.0.14393.4169 (rs1_release.210107-1130)Modern Execution ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationModernExecServer.dllMD5=74A6A42311720FA2006A6966D2D6D707,SHA256=6FC88995BE24CF511EBC22971422F871BFBA3749E4B686ACF4088D68461FCB42,IMPHASH=878A8E2C5E94845F7A44C1DD3F5610E0trueMicrosoft WindowsValid 734700x80000000000000007990269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.734{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8,IMPHASH=BC8DDE4D2412D48001350313FD2B7840trueMicrosoft WindowsValid 734700x80000000000000007990268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.734{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\usermgrcli.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)UserMgr API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationusermgrcli.dllMD5=53088C541D573FB17068D8C7FE2C91EA,SHA256=20C4124FDB49FA02F9E90B15E9DBA8E0BBD5A82218038AA636FCFAEDEA1B54EA,IMPHASH=5124BA4251101F1719330C2018DBB582trueMicrosoft WindowsValid 734700x80000000000000007990267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.734{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\UserMgrProxy.dll10.0.14393.4283 (rs1_release.210303-1802)UserMgrProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationusermgrproxy.dllMD5=AF3700CF9AAABABA08470416F00B7036,SHA256=8F1595F1AF0DECA3FBAE25E8FC2409ABC9C976EE2BB5B567B0E2FD33CBF4F22C,IMPHASH=F199335708837C17195EBB8AF4E3B0EFtrueMicrosoft WindowsValid 734700x80000000000000007990266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.718{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007990265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.718{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007990264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.718{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\WinTypes.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=AAA321C636929D23C58B5A78EDA04B61,SHA256=E33D62CC132B8D790B3604DBE227CD2A270E30C1B71881BB4E3B00732CE56E5C,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 734700x80000000000000007990263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.718{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x80000000000000007990262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.718{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\CoreUIComponents.dll-----MD5=938961BA199F9626C72673E8D67A0D56,SHA256=92414B7F78A45D4DE494F3283B2A33A1F422E32F73C1733AA9071EE0B89ADC5E,IMPHASH=E1E6E93CD96B5C1875509E930B2B8C21trueMicrosoft WindowsValid 734700x80000000000000007990261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.718{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\CoreMessaging.dll10.0.14393.3930Microsoft CoreMessaging DllMicrosoft® Windows® Operating SystemMicrosoft CorporationCoreMessaging.dllMD5=3D9D2F367587B2E93F2868F52D4ACBDD,SHA256=B4B27A7D4B9B685B6015D090B6A3E0E578AFBDE8D6C06A8F2E606A439D5A4BA4,IMPHASH=92CA7117B99353AC45978E95EEB5A46DtrueMicrosoft WindowsValid 734700x80000000000000007990260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.718{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x80000000000000007990259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.718{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=D8CD8451D1E194230F18866AD6EFE5E7,SHA256=9977AA1287962035C24DF806DDA67F09FFE9BDF696DBA507D749C624AE1C178D,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x80000000000000007990258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.718{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4,IMPHASH=334E5331674424695F9872596E2677C7trueMicrosoft WindowsValid 734700x80000000000000007990257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.718{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\winhttp.dll10.0.14393.4169 (rs1_release.210107-1130)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=24995B62FFC2519B34A2145673BD275F,SHA256=BB7D4DE1BE6111462F65F999A8969DA04113F15A80D534A93D3CCC76A9FE1F22,IMPHASH=F1FC6BF3699C289EBAF914A7771E49CDtrueMicrosoft WindowsValid 734700x80000000000000007990256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.702{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\UIAutomationCore.dll7.2.14393.4169 (rs1_release.210107-1130)Microsoft UI Automation CoreMicrosoft® Windows® Operating SystemMicrosoft CorporationUIAutomationCore.dllMD5=9B2DCFE11EEBDDC18A8F5964E04E64A0,SHA256=5CBC5B45B9EB5B4EF1360005CD675D20D7EE9FE588DA24543FF7C9ACB88317FF,IMPHASH=6691D3D33C2662107A11540A5A994674trueMicrosoft WindowsValid 734700x80000000000000007990255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.702{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007990254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.702{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843,IMPHASH=EAA4328F5E33714FA08C71E4AAE43CC1trueMicrosoft WindowsValid 734700x80000000000000007990253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.702{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007990252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.702{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007990251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.702{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007990250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\MsCtfMonitor.dll10.0.14393.0 (rs1_release.160715-1616)MsCtfMonitor DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMsCtfMonitor.DLLMD5=81BC8DBCD544B8837BCBC5CAD0C9CA08,SHA256=C67286427B136D36F2785B3DF169B8D3E820ADCD1C836B69770439A9456A2E8E,IMPHASH=9B989CE38CE9C40F828E034B46B8E9F3trueMicrosoft WindowsValid 734700x80000000000000007990249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.702{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4,IMPHASH=B6A1A16A2B5E910045E998CD7709E966trueMicrosoft WindowsValid 734700x80000000000000007990248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.702{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\msvcp110_win.dll10.0.14393.2007 (rs1_release.171231-1800)Microsoft® STL110 C++ Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp110_win.dllMD5=BFB390484F611C21582AD11E4C6ADEF2,SHA256=30B5AD268C022FCA2AACAE2CB6E4DC36F6A01C16A006046BB4417CEA96DA4F5A,IMPHASH=80A56C2FEE02149B4E326F9A62FF4B12trueMicrosoft WindowsValid 734700x80000000000000007990247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.702{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x80000000000000007990246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.702{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x80000000000000007990245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.702{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\VEEventDispatcher.dll10.0.14393.4169 (rs1_release.210107-1130)Visual Element Event dispatcherMicrosoft® Windows® Operating SystemMicrosoft CorporationVEEventDispatcher.dllMD5=7A89C3B780AD83BD07097E1562C8C2A4,SHA256=A2E4969569F4A963A6F02827480634480817BC00A52C5BB96BD6FC6D9BE54B2A,IMPHASH=68182A73D7878DB2056CBA31DAA3CEFCtrueMicrosoft WindowsValid 734700x80000000000000007990244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.702{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x80000000000000007990243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.687{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x80000000000000007990242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.687{3BF36828-E8AA-60DD-FF01-00000000C801}3452C:\Windows\System32\XblGameSaveTask.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007990241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.687{3BF36828-E8AA-60DD-FF01-00000000C801}3452C:\Windows\System32\XblGameSaveTask.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007990240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.687{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\msvcp110_win.dll10.0.14393.2007 (rs1_release.171231-1800)Microsoft® STL110 C++ Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp110_win.dllMD5=BFB390484F611C21582AD11E4C6ADEF2,SHA256=30B5AD268C022FCA2AACAE2CB6E4DC36F6A01C16A006046BB4417CEA96DA4F5A,IMPHASH=80A56C2FEE02149B4E326F9A62FF4B12trueMicrosoft WindowsValid 734700x80000000000000007990239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.687{3BF36828-E8AA-60DD-0102-00000000C801}5108C:\Windows\System32\ServerManagerLauncher.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x80000000000000007990238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-0102-00000000C801}5108C:\Windows\System32\ServerManagerLauncher.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007990237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.Shell.ServiceHostBuilderMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Shell.ServiceHostBuilder.dllMD5=BAE7C7806F172B14686A3F22A92B3F6B,SHA256=F99E2CEA34785407A7127920360AC8F34CFE4B982D15B69B3C8B9902ADECECA1,IMPHASH=0E55B6055EE0F1C836E9516928D58A99trueMicrosoft WindowsValid 734700x80000000000000007990236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-0202-00000000C801}1612C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007990235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-0102-00000000C801}5108C:\Windows\System32\ServerManagerLauncher.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x80000000000000007990234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-0102-00000000C801}5108C:\Windows\System32\ServerManagerLauncher.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007990233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-0102-00000000C801}5108C:\Windows\System32\ServerManagerLauncher.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x80000000000000007990232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-0202-00000000C801}1612C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007990231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-0202-00000000C801}1612C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x80000000000000007990230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\VEEventDispatcher.dll10.0.14393.4169 (rs1_release.210107-1130)Visual Element Event dispatcherMicrosoft® Windows® Operating SystemMicrosoft CorporationVEEventDispatcher.dllMD5=7A89C3B780AD83BD07097E1562C8C2A4,SHA256=A2E4969569F4A963A6F02827480634480817BC00A52C5BB96BD6FC6D9BE54B2A,IMPHASH=68182A73D7878DB2056CBA31DAA3CEFCtrueMicrosoft WindowsValid 734700x80000000000000007990229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x80000000000000007990228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-0202-00000000C801}1612C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007990227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-0202-00000000C801}1612C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x80000000000000007990226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007990225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-0102-00000000C801}5108C:\Windows\System32\ServerManagerLauncher.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x80000000000000007990224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 734700x80000000000000007990223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\ResourcePolicyClient.dll10.0.14393.3808 (rs1_release.200707-2105)Resource Policy ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationResourcePolicyClient.dllMD5=8FD5FEFE4E020BBC2D95F07BCDC84F71,SHA256=E5E351822CCDEBF81C47C4CA1D5C158E2880C1BD29CA024D163FD9316F3046AE,IMPHASH=E494F732179E765F2CE18BC21CDB1948trueMicrosoft WindowsValid 734700x80000000000000007990222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007990221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-0202-00000000C801}1612C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x80000000000000007990220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-0202-00000000C801}1612C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x80000000000000007990219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-0102-00000000C801}5108C:\Windows\System32\ServerManagerLauncher.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x80000000000000007990218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-0202-00000000C801}1612C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 734700x80000000000000007990217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-0102-00000000C801}5108C:\Windows\System32\ServerManagerLauncher.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 10341000x80000000000000007990216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-0202-00000000C801}16124660C:\Windows\system32\conhost.exe{3BF36828-E8AA-60DD-FF01-00000000C801}3452C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{00000000-0000-0000-0000-000000000000}5108C:\Windows\System32\ServerManagerLauncher.exeC:\Windows\System32\ServerManagerLauncher.exe10.0.14393.0 (rs1_release.160715-1616)Server Manager LauncherMicrosoft® Windows® Operating SystemMicrosoft CorporationServerManagerLauncher.exeMD5=CA3A931A56D4B2429A39871131964101,SHA256=72EE5BD75AB5617A2FF4535EA7A62DE178A89A883C29DB606789BE112E6EF38E,IMPHASH=160CB66F1DA909B061E22899452E3895trueMicrosoft WindowsValid 734700x80000000000000007990210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-0202-00000000C801}1612C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x80000000000000007990209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-0102-00000000C801}5108C:\Windows\System32\ServerManagerLauncher.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 734700x80000000000000007990208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-0102-00000000C801}5108C:\Windows\System32\ServerManagerLauncher.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007990207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-0102-00000000C801}5108C:\Windows\System32\ServerManagerLauncher.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007990206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-0102-00000000C801}5108C:\Windows\System32\ServerManagerLauncher.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007990205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-0102-00000000C801}5108C:\Windows\System32\ServerManagerLauncher.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007990204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-0102-00000000C801}5108C:\Windows\System32\ServerManagerLauncher.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007990203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-0102-00000000C801}5108C:\Windows\System32\ServerManagerLauncher.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007990202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.671{3BF36828-E8AA-60DD-0102-00000000C801}5108C:\Windows\System32\ServerManagerLauncher.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007990201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0102-00000000C801}5108C:\Windows\System32\ServerManagerLauncher.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007990200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570,IMPHASH=2E790E44628AED89C2CC17E1E4A5CE1CtrueMicrosoft WindowsValid 734700x80000000000000007990199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8,IMPHASH=BC8DDE4D2412D48001350313FD2B7840trueMicrosoft WindowsValid 10341000x80000000000000007990198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0202-00000000C801}1612C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x80000000000000007990195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0202-00000000C801}1612C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x80000000000000007990192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0202-00000000C801}1612C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007990191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x80000000000000007990190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0202-00000000C801}1612C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007990189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0202-00000000C801}1612C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x80000000000000007990188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x80000000000000007990187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x80000000000000007990186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0202-00000000C801}1612C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007990185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0202-00000000C801}1612C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007990183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007990181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0202-00000000C801}1612C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 10341000x80000000000000007990180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\cdpusersvc.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft (R) CDP User ComponentsMicrosoft® Windows® Operating SystemMicrosoft CorporationCDPUserSvc.dllMD5=F3A0C873D3FE674F6A8A26DED68A10F1,SHA256=F4B32A7C0369EFD380DC32989602A98E4BE631B03CDD1E2387330450694331C7,IMPHASH=0C07670FFD97B5D9F3098227EF31C5CEtrueMicrosoft WindowsValid 734700x80000000000000007990177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0202-00000000C801}1612C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007990176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0202-00000000C801}1612C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 10341000x80000000000000007990175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0202-00000000C801}1612C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007990172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007990171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0202-00000000C801}1612C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007990170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0202-00000000C801}1612C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007990169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0202-00000000C801}1612C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.4402 (rs1_release.210426-1725)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=EBEFEF1FE2B0D6FF2595203DADE100C9,SHA256=70F4BB4198467DA8E2FD7AF475536B3F2FD1B3E56CEE7E376D0303C149C449F9,IMPHASH=49A59B06FE5B10F21E36B588430BFDB3trueMicrosoft WindowsValid 734700x80000000000000007990168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 734700x80000000000000007990167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007990166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007990165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0102-00000000C801}5108C:\Windows\System32\ServerManagerLauncher.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007990164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007990163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0102-00000000C801}5108C:\Windows\System32\ServerManagerLauncher.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007990162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007990161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0102-00000000C801}5108C:\Windows\System32\ServerManagerLauncher.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007990160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x80000000000000007990159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0102-00000000C801}5108C:\Windows\System32\ServerManagerLauncher.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007990158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8A8-60DD-F501-00000000C801}25762064C:\Windows\system32\csrss.exe{3BF36828-E8AA-60DD-0102-00000000C801}5108C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000007990157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0202-00000000C801}1612C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007990156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.656{3BF36828-E8AA-60DD-0102-00000000C801}5108C:\Windows\System32\ServerManagerLauncher.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007990155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007990154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-0102-00000000C801}5108C:\Windows\System32\ServerManagerLauncher.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007990153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 10341000x80000000000000007990152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E8AA-60DD-0202-00000000C801}1612C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000007990151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007990150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-0102-00000000C801}5108C:\Windows\System32\ServerManagerLauncher.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007990149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007990148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-0202-00000000C801}1612C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007990147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007990146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-0202-00000000C801}1612C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007990145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007990144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007990143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-0202-00000000C801}1612C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007990142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E8AA-60DD-0102-00000000C801}5108C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000007990141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-0202-00000000C801}1612C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0,IMPHASH=2C980A4DA7C717CC670CB9E1D2C4D733trueMicrosoft WindowsValid 734700x80000000000000007990140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 10341000x80000000000000007990139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-DD0D-60DD-0F00-00000000C801}3441704C:\Windows\system32\svchost.exe{3BF36828-E8AA-60DD-0102-00000000C801}5108C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+acf0|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+108c6|c:\windows\system32\UBPM.dll+d439|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007990137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007990136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007990135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007990134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\taskhostw.exe10.0.14393.3297 (rs1_release_1.191001-1045)Host Process for Windows TasksMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskhostw.exeMD5=B5D41CD8E27C26DA82B11B277D233B04,SHA256=1876990EEBC99F0B0F66BEC435FE2810E450532E23E22427DA31A09802394461,IMPHASH=1CCD2E7A159E4500473733FB9D75028BtrueMicrosoft WindowsValid 734700x80000000000000007990133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-FF01-00000000C801}3452C:\Windows\System32\XblGameSaveTask.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007990132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\DesktopShellExt.dll10.0.14393.4169 (rs1_release.210107-1130)DesktopHost ExtensionsMicrosoft® Windows® Operating SystemMicrosoft CorporationDesktopShellExt.dllMD5=D32C45FBD71DD13B330AA5DA74302ED5,SHA256=25EE428BCE2419202988926ED54E64610B689F06AAFD630EBD0187B8D6DCC682,IMPHASH=0E5A2114D5DA67F49DC2855172688607trueMicrosoft WindowsValid 734700x80000000000000007990131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570,IMPHASH=2E790E44628AED89C2CC17E1E4A5CE1CtrueMicrosoft WindowsValid 734700x80000000000000007990130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-FF01-00000000C801}3452C:\Windows\System32\XblGameSaveTask.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007990129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BAB,IMPHASH=AD7CEB919D43FA2BD394EC803EB6BCDAtrueMicrosoft WindowsValid 734700x80000000000000007990128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-FF01-00000000C801}3452C:\Windows\System32\XblGameSaveTask.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007990127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-FF01-00000000C801}3452C:\Windows\System32\XblGameSaveTask.exeC:\Windows\System32\XblGameSaveTask.exe10.0.14393.0 (rs1_release.160715-1616)XblGameSave Standby TaskMicrosoft® Windows® Operating SystemMicrosoft CorporationXblGameSaveTask.exeMD5=7E74F3C9FC2A07012E130A3F9D0EABD1,SHA256=BABFAEE679E6005D49F7C314BA7FDA93F31B447E8D799256CCBE8B07252B726A,IMPHASH=4C61F9F9A9F83764F7901F30F50348FAtrueMicrosoft WindowsValid 734700x80000000000000007990126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007990125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 10341000x80000000000000007990124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E8AA-60DD-FF01-00000000C801}3452C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007990123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-DD0D-60DD-0F00-00000000C801}3443548C:\Windows\system32\svchost.exe{3BF36828-E8AA-60DD-FF01-00000000C801}3452C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1700-00000000C801}1472C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x80000000000000007990114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-DD0B-60DD-0A00-00000000C801}644736C:\Windows\system32\services.exe{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x80000000000000007990111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x80000000000000007990110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007990109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007990108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007990107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007990106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007990105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x80000000000000007990104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007990103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.640{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007990102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007990101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007990100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\WinTypes.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=AAA321C636929D23C58B5A78EDA04B61,SHA256=E33D62CC132B8D790B3604DBE227CD2A270E30C1B71881BB4E3B00732CE56E5C,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 734700x80000000000000007990099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007990098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007990097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007990096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007990095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x80000000000000007990094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\CoreUIComponents.dll-----MD5=938961BA199F9626C72673E8D67A0D56,SHA256=92414B7F78A45D4DE494F3283B2A33A1F422E32F73C1733AA9071EE0B89ADC5E,IMPHASH=E1E6E93CD96B5C1875509E930B2B8C21trueMicrosoft WindowsValid 734700x80000000000000007990093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\CoreMessaging.dll10.0.14393.3930Microsoft CoreMessaging DllMicrosoft® Windows® Operating SystemMicrosoft CorporationCoreMessaging.dllMD5=3D9D2F367587B2E93F2868F52D4ACBDD,SHA256=B4B27A7D4B9B685B6015D090B6A3E0E578AFBDE8D6C06A8F2E606A439D5A4BA4,IMPHASH=92CA7117B99353AC45978E95EEB5A46DtrueMicrosoft WindowsValid 10341000x80000000000000007990092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000007990089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2021-07-01 16:09:14.624{3BF36828-DD0D-60DD-1000-00000000C801}372\TSVCPIPE-ba6792c9-6e4d-400a-aa85-ef891e925242C:\Windows\System32\svchost.exe 734700x80000000000000007990088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007990087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\sihost.exe10.0.14393.4169 (rs1_release.210107-1130)Shell Infrastructure HostMicrosoft® Windows® Operating SystemMicrosoft Corporationsihost.exeMD5=3634AA2AFD1B721479B15C3063CF32FA,SHA256=B72FAC49085F813A83A2E0E5CB31E5B5D5AFCC45057211FAF5BF98F74D74AB9D,IMPHASH=0E8BA5AB7D03CE0B6C0FB27E3B3B3830trueMicrosoft WindowsValid 734700x80000000000000007990086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007990085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007990083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007990082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007990081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007990080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007990079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x80000000000000007990078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-E8A8-60DD-F501-00000000C801}25762064C:\Windows\system32\csrss.exe{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007990076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 10341000x80000000000000007990074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-DD0D-60DD-0F00-00000000C801}3443548C:\Windows\system32\svchost.exe{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-DD0D-60DD-0F00-00000000C801}3441364C:\Windows\system32\svchost.exe{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007990071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007990070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x80000000000000007990069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007990068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.609{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeC:\Windows\System32\profext.dll10.0.14393.4283 (rs1_release.210303-1802)profextMicrosoft® Windows® Operating SystemMicrosoft Corporationprofext.dllMD5=3490D2800E46CE473BEFAF747D85F2D0,SHA256=ABE7C0822FB81A5B609F4F02070BCE6CE8CF51CAE49503F23B5AB92C811EF961,IMPHASH=82DBC5DF78A34C977A610912E2732607trueMicrosoft WindowsValid 10341000x80000000000000007990067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007990064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6trueMicrosoft Windows PublisherValid 10341000x80000000000000007990063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007990062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}6442924C:\Windows\system32\services.exe{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1dc37|C:\Windows\system32\services.exe+17f38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 13241300x80000000000000007990061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_1897e4\Description@%%SystemRoot%%\system32\WpnUserService.dll,-2 13241300x80000000000000007990060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_1897e4\FailureActionsBinary Data 734700x80000000000000007990059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 13241300x80000000000000007990058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_1897e4\Security\SecurityBinary Data 13241300x80000000000000007990057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_1897e4\DisplayNameWindows Push Notifications User Service_1897e4 13241300x80000000000000007990056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localT1031,T1050SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_1897e4\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000007990055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_1897e4\ErrorControlDWORD (0x00000000) 13241300x80000000000000007990054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localT1031,T1050SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_1897e4\StartDWORD (0x00000003) 13241300x80000000000000007990053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_1897e4\TypeDWORD (0x000000e0) 734700x80000000000000007990052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 13241300x80000000000000007990051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_1897e4\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-14000 13241300x80000000000000007990050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_1897e4\FailureActionsBinary Data 10341000x80000000000000007990049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007990048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_1897e4\Security\SecurityBinary Data 10341000x80000000000000007990047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007990046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_1897e4\DisplayNameUser Data Access_1897e4 13241300x80000000000000007990045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localT1031,T1050SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_1897e4\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000007990044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_1897e4\ErrorControlDWORD (0x00000000) 13241300x80000000000000007990043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localT1031,T1050SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_1897e4\StartDWORD (0x00000003) 734700x80000000000000007990042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.593{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeC:\Windows\System32\vaultcli.dll10.0.14393.4169 (rs1_release.210107-1130)Credential Vault Client LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationvaultcli.dllMD5=3A4413FEB384CA47420B1A7CB9099BF0,SHA256=338D718FF68D1ACF8AFC366E923B44128E821DDD50A9C282A5F55502BAF288FA,IMPHASH=E0B17C1B749544B11E7164BC8880263EtrueMicrosoft WindowsValid 13241300x80000000000000007990041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_1897e4\TypeDWORD (0x000000e0) 10341000x80000000000000007990040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007990039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_1897e4\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-10002 10341000x80000000000000007990038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007990037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_1897e4\FailureActionsBinary Data 13241300x80000000000000007990036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_1897e4\Security\SecurityBinary Data 734700x80000000000000007990035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.624{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 13241300x80000000000000007990034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_1897e4\DisplayNameUser Data Storage_1897e4 13241300x80000000000000007990033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localT1031,T1050SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_1897e4\ImagePathC:\Windows\System32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000007990032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_1897e4\ErrorControlDWORD (0x00000000) 13241300x80000000000000007990031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localT1031,T1050SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_1897e4\StartDWORD (0x00000003) 13241300x80000000000000007990030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_1897e4\TypeDWORD (0x000000e0) 13241300x80000000000000007990029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_1897e4\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-15000 13241300x80000000000000007990028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_1897e4\FailureActionsBinary Data 13241300x80000000000000007990027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_1897e4\Security\SecurityBinary Data 13241300x80000000000000007990026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_1897e4\DisplayNameContact Data_1897e4 13241300x80000000000000007990025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localT1031,T1050SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_1897e4\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000007990024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_1897e4\ErrorControlDWORD (0x00000000) 13241300x80000000000000007990023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localT1031,T1050SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_1897e4\StartDWORD (0x00000003) 13241300x80000000000000007990022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_1897e4\TypeDWORD (0x000000e0) 13241300x80000000000000007990021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_1897e4\Description@%%SystemRoot%%\system32\APHostRes.dll,-10001 13241300x80000000000000007990020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_1897e4\FailureActionsBinary Data 13241300x80000000000000007990019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_1897e4\Security\SecurityBinary Data 13241300x80000000000000007990018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_1897e4\DisplayNameSync Host_1897e4 13241300x80000000000000007990017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localT1031,T1050SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_1897e4\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000007990016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_1897e4\ErrorControlDWORD (0x00000000) 13241300x80000000000000007990015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localT1031,T1050SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_1897e4\StartDWORD (0x00000002) 13241300x80000000000000007990014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_1897e4\TypeDWORD (0x000000e0) 13241300x80000000000000007990013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_1897e4\Description@%%SystemRoot%%\system32\cdpusersvc.dll,-101 13241300x80000000000000007990012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_1897e4\FailureActionsBinary Data 13241300x80000000000000007990011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.624{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_1897e4\Security\SecurityBinary Data 13241300x80000000000000007990010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.609{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_1897e4\DisplayNameCDPUserSvc_1897e4 13241300x80000000000000007990009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localT1031,T1050SetValue2021-07-01 16:09:14.609{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_1897e4\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 734700x80000000000000007990008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.577{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeC:\Windows\System32\Windows.StateRepositoryBroker.dll10.0.14393.4169 (rs1_release.210107-1130)Windows StateRepository API BrokerMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.StateRepositoryBroker.dllMD5=B063A771A4DDB82F13584E5E2819DCAA,SHA256=BCBC332703895A7612AD4EE4D85D0E4E0AD0D351104A24655BE06AF0C5B47EAB,IMPHASH=016818B91680E7F453AE45F1CCEEDFFDtrueMicrosoft WindowsValid 13241300x80000000000000007990007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.609{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_1897e4\ErrorControlDWORD (0x00000001) 13241300x80000000000000007990006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localT1031,T1050SetValue2021-07-01 16:09:14.609{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_1897e4\StartDWORD (0x00000002) 13241300x80000000000000007990005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:09:14.609{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_1897e4\TypeDWORD (0x000000e0) 734700x80000000000000007990004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.609{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\System32\services.exeC:\Windows\System32\usermgrcli.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)UserMgr API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationusermgrcli.dllMD5=53088C541D573FB17068D8C7FE2C91EA,SHA256=20C4124FDB49FA02F9E90B15E9DBA8E0BBD5A82218038AA636FCFAEDEA1B54EA,IMPHASH=5124BA4251101F1719330C2018DBB582trueMicrosoft WindowsValid 10341000x80000000000000007990003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.609{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.562{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeC:\Windows\System32\StateRepository.Core.dll10.0.14393.4169 (rs1_release.210107-1130)StateRepository CoreMicrosoft® Windows® Operating SystemMicrosoft CorporationStateRepository.Core.dllMD5=94299201E0B602E4692F61C5A46E32D9,SHA256=D343410FB20D88B74BF661CACADBBD913034D02410A826A84D60B2B66A95A862,IMPHASH=53CA7FAF1CEDFB0EC8CCD763B974D4A1trueMicrosoft WindowsValid 734700x80000000000000007990001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.546{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeC:\Windows\System32\Windows.StateRepository.dll10.0.14393.4169 (rs1_release.210107-1130)Windows StateRepository API ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.StateRepository.dllMD5=8F4457905D80A520C684CA48F807C268,SHA256=623299C57C3148EB7B8EE0FE22F2E8A4C7A41712A87D43074E56643BEB84C06A,IMPHASH=A28EA9ED587BD4511849B7BB44021022trueMicrosoft WindowsValid 10341000x80000000000000007990000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.593{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.593{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.577{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeC:\Windows\System32\BCP47Langs.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)BCP47 Language ClassesMicrosoft® Windows® Operating SystemMicrosoft CorporationBCP47Lang.dllMD5=F688C2B9DD2EB56C3B0312B6380338AA,SHA256=B22DB210486D3B5F4EEB17900C5E7AA0EEFEDBB068A0C4858EFE9F8018C34628,IMPHASH=31EA1856BC7597303D8126028BBFDFB8trueMicrosoft WindowsValid 734700x80000000000000007989997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.577{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeC:\Windows\System32\Windows.UI.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Runtime UI Foundation DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.dllMD5=FEC31833E8D13591BAECE59B8E39F53C,SHA256=424BAEA0DC8EF34305A881F9B36F22E8CFECA403A0D03B61782D69535387A401,IMPHASH=B073DE28C43175420FE754415439CCEAtrueMicrosoft WindowsValid 734700x80000000000000007989996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.577{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeC:\Windows\System32\MrmCoreR.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows MRMMicrosoft® Windows® Operating SystemMicrosoft CorporationMrmCore.dllMD5=D730B5700BEB4A7E6E4244684356739C,SHA256=26083BEB490E48F5711D69A0E597B7A4CC6FB4B31EDCD535A0FF0DFBE4E6F8DD,IMPHASH=462A9FA6F44F25C68798F197AC8EC9D9trueMicrosoft WindowsValid 734700x80000000000000007989995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.562{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\System32\svchost.exeC:\Windows\System32\WinTypes.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=AAA321C636929D23C58B5A78EDA04B61,SHA256=E33D62CC132B8D790B3604DBE227CD2A270E30C1B71881BB4E3B00732CE56E5C,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 18141800x80000000000000007989994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2021-07-01 16:09:14.531{3BF36828-DD0D-60DD-1000-00000000C801}372\TSVCPIPE-ba6792c9-6e4d-400a-aa85-ef891e925242C:\Windows\System32\svchost.exe 734700x80000000000000007989993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.531{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x80000000000000007989992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.531{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007989991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.531{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x80000000000000007989990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.531{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 10341000x80000000000000007989989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.515{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.515{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BAB,IMPHASH=AD7CEB919D43FA2BD394EC803EB6BCDAtrueMicrosoft WindowsValid 10341000x80000000000000007989987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.515{3BF36828-E8AA-60DD-FC01-00000000C801}34883768C:\Windows\System32\RuntimeBroker.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61acc|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000007989986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.515{3BF36828-E8AA-60DD-FC01-00000000C801}34883768C:\Windows\System32\RuntimeBroker.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61acc|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 734700x80000000000000007989985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.515{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeC:\Windows\System32\OneCoreCommonProxyStub.dll10.0.14393.2395 (rs1_release_inmarket.180714-1932)OneCore Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreCommonProxyStub.dllMD5=02CEC1566FB0709923FF7A9FEC254D96,SHA256=81BED60AEB79C489E9F79996A3F0AB626E6CA247EBB656B6B9897C47A39F6AFB,IMPHASH=69A8B7E9F373278F52FE45A83CE3A380trueMicrosoft WindowsValid 734700x80000000000000007989984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.515{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\OneCoreCommonProxyStub.dll10.0.14393.2395 (rs1_release_inmarket.180714-1932)OneCore Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreCommonProxyStub.dllMD5=02CEC1566FB0709923FF7A9FEC254D96,SHA256=81BED60AEB79C489E9F79996A3F0AB626E6CA247EBB656B6B9897C47A39F6AFB,IMPHASH=69A8B7E9F373278F52FE45A83CE3A380trueMicrosoft WindowsValid 734700x80000000000000007989983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.515{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\WinTypes.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=AAA321C636929D23C58B5A78EDA04B61,SHA256=E33D62CC132B8D790B3604DBE227CD2A270E30C1B71881BB4E3B00732CE56E5C,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 734700x80000000000000007989982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.515{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\tokenbinding.dll10.0.14393.2363 (rs1_release.180625-1741)Token Binding ProtocolMicrosoft® Windows® Operating SystemMicrosoft Corporationtokenbinding.dllMD5=8AD65F608FD6964085B365A43F8DBEA4,SHA256=E088353C88877763D4E5BB6EB7FB55C81908DF639A9AF89EECA546FD9EDB18DE,IMPHASH=EDBDD2E193CED10C0D380B250BFC13C5trueMicrosoft WindowsValid 734700x80000000000000007989981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.515{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x80000000000000007989980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.515{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007989979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.515{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007989978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.515{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007989977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.515{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\TokenBroker.dll10.0.14393.4169 (rs1_release.210107-1130)Token BrokerMicrosoft® Windows® Operating SystemMicrosoft CorporationTokenBroker.dllMD5=9ECF3BE652A6FF4B5C4744697FDDABA2,SHA256=00DF6190CBF64C8840C1B9068A844D4A6584E6D82C8C6FD78CFDB10184F815C7,IMPHASH=F91C8ACC62DFD3D725FAC2A0CBB6AA8FtrueMicrosoft WindowsValid 734700x80000000000000007989976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.515{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x80000000000000007989975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.515{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x80000000000000007989974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.515{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x80000000000000007989973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.499{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x80000000000000007989972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.499{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007989971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.499{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007989970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.499{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007989969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.499{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007989968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.499{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007989967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.499{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007989966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.499{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007989965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.499{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007989964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.499{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x80000000000000007989963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.499{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007989962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.499{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007989961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.499{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe10.0.14393.0 (rs1_release.160715-1616)Runtime BrokerMicrosoft® Windows® Operating SystemMicrosoft CorporationRuntimeBroker.exeMD5=1E03C94933E088D9FAB00B49D46CC370,SHA256=20A7EB74EFD23933A5C0887D3D8CE66FEA009A6CD257508CB4B0EB70F8D27C57,IMPHASH=0891A2BEE16449C9DB94C8261A187390trueMicrosoft WindowsValid 734700x80000000000000007989960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.499{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007989959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.499{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007989958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.499{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007989957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.499{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007989956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.499{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007989955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.484{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.484{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.484{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570,IMPHASH=2E790E44628AED89C2CC17E1E4A5CE1CtrueMicrosoft WindowsValid 10341000x80000000000000007989951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.484{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.484{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.484{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6,IMPHASH=46ADE2B067E724C7163A0B1902FEF225trueMicrosoft WindowsValid 734700x80000000000000007989947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\rdpclip.exe10.0.14393.3503 (rs1_release.200131-0410)RDP Clipboard MonitorMicrosoft® Windows® Operating SystemMicrosoft Corporationrdpclip.exeMD5=D887E718FB0F4C99B9F01C5BD59F8B90,SHA256=ACFA1128B4EDD953F6364FA6216337A59C0522A01349263A11259A827838A56F,IMPHASH=5A464814303942D42A66B561CF697F26trueMicrosoft WindowsValid 734700x80000000000000007989946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007989945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000007989944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BAB,IMPHASH=AD7CEB919D43FA2BD394EC803EB6BCDAtrueMicrosoft WindowsValid 734700x80000000000000007989943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007989942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x80000000000000007989941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007989940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x80000000000000007989939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x80000000000000007989938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x80000000000000007989937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x80000000000000007989936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 734700x80000000000000007989935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007989934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007989933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007989932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007989931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007989930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007989929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\KBDUS.DLL10.0.14393.0 (rs1_release.160715-1616)United States Keyboard LayoutMicrosoft® Windows® Operating SystemMicrosoft Corporationkbdus.dllMD5=974F03FF3BDB6786F890329340E29CFF,SHA256=D02BCC19AB89EE188DD31D17DEBAECDE26CFC0B30B6E5B0CC5889CCC85202E63,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007989928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007989927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007989926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007989925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\KBDUS.DLL10.0.14393.0 (rs1_release.160715-1616)United States Keyboard LayoutMicrosoft® Windows® Operating SystemMicrosoft Corporationkbdus.dllMD5=974F03FF3BDB6786F890329340E29CFF,SHA256=D02BCC19AB89EE188DD31D17DEBAECDE26CFC0B30B6E5B0CC5889CCC85202E63,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007989924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007989923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007989922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007989921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeC:\Windows\System32\es.dll2001.12.10941.16384 (rs1_release.201002-1707)COM+Microsoft® Windows® Operating SystemMicrosoft CorporationES.DLLMD5=C82536B6DCD3370E13D1D34D4A05F13F,SHA256=CD636DCC4516803B77C2CDFECF3A14ADF25F7A8B00F23F1D57A7BA7BD87663DF,IMPHASH=D7A4AD00167880B37A17C79825E9F4B4trueMicrosoft WindowsValid 10341000x80000000000000007989920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8A8-60DD-F501-00000000C801}25762064C:\Windows\system32\csrss.exe{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000007989919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 10341000x80000000000000007989918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007989916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.468{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007989913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.452{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.452{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.452{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007989910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.452{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.452{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.452{3BF36828-DD0D-60DD-1000-00000000C801}3723672C:\Windows\System32\svchost.exe{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\termsrv.dll+47f71|c:\windows\system32\termsrv.dll+1982c|c:\windows\system32\termsrv.dll+2320b|c:\windows\system32\termsrv.dll+22643|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 154100x80000000000000007989907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.459{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exe10.0.14393.3503 (rs1_release.200131-0410)RDP Clipboard MonitorMicrosoft® Windows® Operating SystemMicrosoft Corporationrdpclip.exerdpclipC:\Windows\system32\ATTACKRANGE\Administrator{3BF36828-E8A9-60DD-F846-180000000000}0x1846f82HighMD5=D887E718FB0F4C99B9F01C5BD59F8B90,SHA256=ACFA1128B4EDD953F6364FA6216337A59C0522A01349263A11259A827838A56F,IMPHASH=5A464814303942D42A66B561CF697F26{3BF36828-DD0D-60DD-1000-00000000C801}372C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k termsvcs 734700x80000000000000007989906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.452{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 10341000x80000000000000007989905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.452{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1000-00000000C801}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 734700x80000000000000007989904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.421{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\puiapi.dll10.0.14393.4169 (rs1_release.210107-1130)puiapi DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationpuiapi.dllMD5=D2424F4D41805276E86CB6E554126FB1,SHA256=1BEE1F135C82EF7B61FF2B440ADB3EE8211873CF6BA2D243A03059D6F5E879FF,IMPHASH=7620C00B56E516AF4504A732E1F155ECtrueMicrosoft WindowsValid 734700x80000000000000007989903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.452{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\System32\TSTheme.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007989902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.452{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\System32\TSTheme.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x80000000000000007989901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.452{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\System32\TSTheme.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x80000000000000007989900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.452{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\System32\TSTheme.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x80000000000000007989899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.437{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\System32\TSTheme.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x80000000000000007989898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.437{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\System32\TSTheme.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x80000000000000007989897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.437{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\System32\TSTheme.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 734700x80000000000000007989896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.421{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\printui.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Printer Settings User InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationprintui.dllMD5=AAC8826D101B9ECA597A5F60F8DF83EE,SHA256=A7A911A41DB4CA886EBCA0A419706966AF17024A5296059088BF89BACA042741,IMPHASH=40F3081A6276CAFA92EB64202FFC3A4FtrueMicrosoft WindowsValid 734700x80000000000000007989895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.437{3BF36828-DD0D-60DD-1000-00000000C801}372C:\Windows\System32\svchost.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0,IMPHASH=FED414075FF3F23F21C898B1860393B4trueMicrosoft WindowsValid 734700x80000000000000007989894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.437{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\System32\TSTheme.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0,IMPHASH=FED414075FF3F23F21C898B1860393B4trueMicrosoft WindowsValid 23542300x80000000000000007989893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.437{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53522EB2B2089433AB00BBE786DA8FD4,SHA256=DAF8CFEC82BA6ACEDB5B6B81B4EFCCD039962B24429CE14E456AF36FCC08FFE2,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007989892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.437{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\System32\TSTheme.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 10341000x80000000000000007989891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.437{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007989890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.437{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C1799C1D37E93995201650E9753C673A,SHA256=9EDDE59ECC0DB26FAACA343AC5593CCBBE5DE16CC375520E1B33198C7A014731,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007989889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.437{3BF36828-DD0D-60DD-0F00-00000000C801}3442296C:\Windows\system32\svchost.exe{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\system32\TSTheme.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.437{3BF36828-DD0D-60DD-0F00-00000000C801}3441364C:\Windows\system32\svchost.exe{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\system32\TSTheme.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.437{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\System32\TSTheme.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x80000000000000007989886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.437{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\System32\TSTheme.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 23542300x80000000000000007989885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.437{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8E3643943FF4B9E7461919A6F209ED59,SHA256=AA2B1F8231DDB46CA63938AF730E4DBF09DCD7DA515F55B66579B6FD32E7752B,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007989884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.421{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\System32\TSTheme.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x80000000000000007989883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.421{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\System32\TSTheme.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007989882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.421{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\System32\TSTheme.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007989881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.421{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\System32\TSTheme.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007989880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.421{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\System32\TSTheme.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007989879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.421{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\System32\TSTheme.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007989878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.421{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\System32\TSTheme.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007989877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.421{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\System32\TSTheme.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007989876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\System32\TSTheme.exeC:\Windows\System32\TSTheme.exe10.0.14393.4169 (rs1_release.210107-1130)TSTheme Server ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationTSThemeS.exeMD5=D5E6B1DA9AEE1CC85A50894A07700B98,SHA256=3A22AAA677B8B658386F6A22ECFB36795DC1BE55AED591FEAA05CA8D36973464,IMPHASH=851EBF0BAEED8A212E02B93229FDC674trueMicrosoft WindowsValid 734700x80000000000000007989875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.421{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\System32\TSTheme.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007989874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.421{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\System32\TSTheme.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007989873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.421{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\System32\TSTheme.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007989872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.421{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\System32\TSTheme.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007989871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.421{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\System32\TSTheme.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007989870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.421{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\System32\TSTheme.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007989869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.421{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\System32\TSTheme.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007989868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-E8A8-60DD-F501-00000000C801}2576416C:\Windows\system32\csrss.exe{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007989866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\System32\TSTheme.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007989862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\System32\TSTheme.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007989861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\System32\TSTheme.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007989858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007989851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007989850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.415{3BF36828-E8AA-60DD-FA01-00000000C801}4208C:\Windows\System32\TSTheme.exe10.0.14393.4169 (rs1_release.210107-1130)TSTheme Server ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationTSThemeS.exeC:\Windows\system32\TSTheme.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{3BF36828-E8A9-60DD-F846-180000000000}0x1846f82HighMD5=D5E6B1DA9AEE1CC85A50894A07700B98,SHA256=3A22AAA677B8B658386F6A22ECFB36795DC1BE55AED591FEAA05CA8D36973464,IMPHASH=851EBF0BAEED8A212E02B93229FDC674{3BF36828-DD0C-60DD-0C00-00000000C801}864C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 734700x80000000000000007989849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}864C:\Windows\System32\svchost.exeC:\Windows\System32\AppxAllUserStore.dll10.0.14393.4169 (rs1_release.210107-1130)AppX All User Store DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationAppXAllUserStore.dllMD5=8EC45C60943459F5868B83FB83D39647,SHA256=A335353E827AB767A2D4AE4758D78370BBD41AB0C519D0931C4CC8A5B4ADA5D7,IMPHASH=45FB94049089DA88404CBA52EAD7C374trueMicrosoft WindowsValid 734700x80000000000000007989848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0D-60DD-1000-00000000C801}372C:\Windows\System32\svchost.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BF,IMPHASH=B74E4EE6BBCE405BE73914241C9AF2C8trueMicrosoft WindowsValid 10341000x80000000000000007989847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0D-60DD-1000-00000000C801}372C:\Windows\System32\svchost.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x80000000000000007989845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD1D-60DD-2500-00000000C801}28684012C:\Windows\System32\spoolsv.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\spoolsv.exe+1b0d3|C:\Windows\System32\spoolsv.exe+1af39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a27b|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.406{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23e0b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1000-00000000C801}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007989775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1000-00000000C801}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007989774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+37c3|c:\windows\system32\SYSNTFY.dll+1dcb|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.390{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.281{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeC:\Windows\System32\UserMgrProxy.dll10.0.14393.4283 (rs1_release.210303-1802)UserMgrProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationusermgrproxy.dllMD5=AF3700CF9AAABABA08470416F00B7036,SHA256=8F1595F1AF0DECA3FBAE25E8FC2409ABC9C976EE2BB5B567B0E2FD33CBF4F22C,IMPHASH=F199335708837C17195EBB8AF4E3B0EFtrueMicrosoft WindowsValid 734700x80000000000000007989768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.265{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BF,IMPHASH=B74E4EE6BBCE405BE73914241C9AF2C8trueMicrosoft WindowsValid 734700x80000000000000007989767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.265{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeC:\Windows\System32\tokenbinding.dll10.0.14393.2363 (rs1_release.180625-1741)Token Binding ProtocolMicrosoft® Windows® Operating SystemMicrosoft Corporationtokenbinding.dllMD5=8AD65F608FD6964085B365A43F8DBEA4,SHA256=E088353C88877763D4E5BB6EB7FB55C81908DF639A9AF89EECA546FD9EDB18DE,IMPHASH=EDBDD2E193CED10C0D380B250BFC13C5trueMicrosoft WindowsValid 734700x80000000000000007989766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.265{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeC:\Windows\System32\TokenBroker.dll10.0.14393.4169 (rs1_release.210107-1130)Token BrokerMicrosoft® Windows® Operating SystemMicrosoft CorporationTokenBroker.dllMD5=9ECF3BE652A6FF4B5C4744697FDDABA2,SHA256=00DF6190CBF64C8840C1B9068A844D4A6584E6D82C8C6FD78CFDB10184F815C7,IMPHASH=F91C8ACC62DFD3D725FAC2A0CBB6AA8FtrueMicrosoft WindowsValid 734700x80000000000000007989765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.156{3BF36828-E8AA-60DD-F901-00000000C801}4388C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007989764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.109{3BF36828-E8AA-60DD-F901-00000000C801}4388C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88trueMicrosoft WindowsValid 734700x80000000000000007989763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.109{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeC:\Windows\System32\SettingSync.dll10.0.14393.4169 (rs1_release.210107-1130)Setting SynchronizationMicrosoft® Windows® Operating SystemMicrosoft CorporationSettingSync.dllMD5=AF6F1D9B22FFCE5EDA7BDD6EEE467C8A,SHA256=50E44F34EA8F20723D68E7B13E71691FD2DE1C3430F03DBA30F37EF8D1C22210,IMPHASH=880D2928959B0BAA732EB20FBA4FC1E1trueMicrosoft WindowsValid 734700x80000000000000007989762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.093{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeC:\Windows\System32\shacctprofile.dll10.0.14393.0 (rs1_release.160715-1616)Shell Accounts Profile ClassesMicrosoft® Windows® Operating SystemMicrosoft Corporationshacctprofile.dllMD5=5FD61CBBA92898CF722A96C6565FDCE3,SHA256=B08D8E9C47A62A748937BB6975DEEE85E5C55F634A4214F46CC5F75D41CD2211,IMPHASH=2C71174EBC4002AB876F4E6F44B03785trueMicrosoft WindowsValid 734700x80000000000000007989761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.952{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\FontGlyphAnimator.dll10.0.14393.4169 (rs1_release.210107-1130)Font Glyph AnimatorMicrosoft® Windows® Operating SystemMicrosoft CorporationFontGlyphAnimator.dllMD5=3179BAF869C1815F2A39438DD5EFD620,SHA256=7A89DD1B6F0DCF16AF14A03EA04718DAAD8FE01E97C61933BD81E6371251AA31,IMPHASH=50CFAE7BE5DDFAF9B3957BA4D337BEADtrueMicrosoft WindowsValid 734700x80000000000000007989760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.952{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 734700x80000000000000007989759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.296{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeC:\Windows\System32\NtlmShared.dll10.0.14393.3269 (rs1_release.190929-1234)NTLM Shared FunctionalityMicrosoft® Windows® Operating SystemMicrosoft CorporationNtlmShared.dllMD5=99F4D90B3ED53855C06F856006E770D1,SHA256=A95E5823B68182C4E32CB783AD23BC4FF60690001C70E6B5E920C12740C4C37C,IMPHASH=36FD662FB3EF657597E485F3FC734A67trueMicrosoft WindowsValid 734700x80000000000000007989758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.296{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeC:\Windows\System32\msv1_0.dll10.0.14393.3866 (rs1_release.200805-1327)Microsoft Authentication Package v1.0Microsoft® Windows® Operating SystemMicrosoft CorporationMSV1_0.DLLMD5=2A725546D9B1F9DB4974A2EA4225D0A8,SHA256=46AD1AC8C7DB7D21E8F41EFC734B855CEE566CB58F8FB825775490DC5DE89C94,IMPHASH=A243271C363636A670D5D150D4D338C9trueMicrosoft WindowsValid 10341000x80000000000000007989757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.281{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.281{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.281{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.281{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.281{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.281{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.281{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.281{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.281{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.281{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.937{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\ScDeviceEnum.dll10.0.14393.2273 (rs1_release_1.180427-1811)Smart Card Device Enumeration ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationScDeviceEnum.dllMD5=32114341105710A1256AA6F040203FC4,SHA256=02281575F40879B826214431C75410D7B09FDAACFFF2469A3FB00B62DC57CE64,IMPHASH=D364067D50345F5C61F205B88FBE7A91trueMicrosoft WindowsValid 734700x80000000000000007989746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.906{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\WinSCard.dll10.0.14393.2273 (rs1_release_1.180427-1811)Microsoft Smart Card APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwinscard.dllMD5=85E2B5FCB057B0476687CCFE28E589A5,SHA256=4B99A7709FAC8E9CF95AA186651BE455C0998414E2D2D807DF1B000EB26FBD15,IMPHASH=8E9831D203C36A499228D7F02C6B90D8trueMicrosoft WindowsValid 734700x80000000000000007989745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.937{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\WinSCard.dll10.0.14393.2273 (rs1_release_1.180427-1811)Microsoft Smart Card APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwinscard.dllMD5=85E2B5FCB057B0476687CCFE28E589A5,SHA256=4B99A7709FAC8E9CF95AA186651BE455C0998414E2D2D807DF1B000EB26FBD15,IMPHASH=8E9831D203C36A499228D7F02C6B90D8trueMicrosoft WindowsValid 734700x80000000000000007989744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.890{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\IDStore.dll10.0.14393.4169 (rs1_release.210107-1130)Identity StoreMicrosoft® Windows® Operating SystemMicrosoft CorporationIdStore.dllMD5=C361C32146F8C2E67168CFC076DBBF55,SHA256=D27DC85DE98B5C85AAAEEE1FC2EBE0F92B53F82F35F0AC6A49ADAE83456C0740,IMPHASH=E5FDBED6A52D2B5010634A77EC08AD4DtrueMicrosoft WindowsValid 734700x80000000000000007989743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.249{3BF36828-E8AA-60DD-F901-00000000C801}4388C:\Windows\System32\dllhost.exeC:\Windows\System32\IDStore.dll10.0.14393.4169 (rs1_release.210107-1130)Identity StoreMicrosoft® Windows® Operating SystemMicrosoft CorporationIdStore.dllMD5=C361C32146F8C2E67168CFC076DBBF55,SHA256=D27DC85DE98B5C85AAAEEE1FC2EBE0F92B53F82F35F0AC6A49ADAE83456C0740,IMPHASH=E5FDBED6A52D2B5010634A77EC08AD4DtrueMicrosoft WindowsValid 734700x80000000000000007989742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.249{3BF36828-E8AA-60DD-F901-00000000C801}4388C:\Windows\System32\dllhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007989741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.249{3BF36828-E8AA-60DD-F901-00000000C801}4388C:\Windows\System32\dllhost.exeC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FE,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x80000000000000007989740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.249{3BF36828-E8AA-60DD-F901-00000000C801}4388C:\Windows\System32\dllhost.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007989739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.874{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\mfsensorgroup.dll10.0.14393.4169 (rs1_release.210107-1130)Media Foundation Sensor Group DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmfsensorgroup.dllMD5=7CB78A0BF4D6AEA6A4C367DFC7645CD0,SHA256=5504F29CAE19AF9A98D65508A350F518AEA1C66235029B1881CA765146E92D99,IMPHASH=86C22AEFE3E4067CC0F34A1D80C38807trueMicrosoft WindowsValid 734700x80000000000000007989738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.234{3BF36828-E8AA-60DD-F901-00000000C801}4388C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x80000000000000007989737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.234{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8AA-60DD-F901-00000000C801}4388C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.234{3BF36828-E8AA-60DD-F901-00000000C801}4388C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007989735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.874{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.Media.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Media Runtime DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Media.dllMD5=28B4EDF53317E0FFA2452AEEC47C4183,SHA256=849608262794A5270B0A22A7412B77C2826E807DC6EA932E5D08451ADDB6078A,IMPHASH=88691B5201F0FCC6E05D2593797A195AtrueMicrosoft WindowsValid 734700x80000000000000007989734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.218{3BF36828-E8AA-60DD-F901-00000000C801}4388C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007989733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.218{3BF36828-E8AA-60DD-F901-00000000C801}4388C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007989732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.218{3BF36828-E8AA-60DD-F901-00000000C801}4388C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007989731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.202{3BF36828-E8AA-60DD-F901-00000000C801}4388C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x80000000000000007989730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.202{3BF36828-E8AA-60DD-F901-00000000C801}4388C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007989729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.202{3BF36828-E8AA-60DD-F901-00000000C801}4388C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007989728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.202{3BF36828-E8AA-60DD-F901-00000000C801}4388C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007989727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.187{3BF36828-E8AA-60DD-F901-00000000C801}4388C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007989726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.187{3BF36828-E8AA-60DD-F901-00000000C801}4388C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007989725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.796{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\DevDispItemProvider.dll10.0.14393.0 (rs1_release.160715-1616)DeviceItem inproc devquery subsystemMicrosoft® Windows® Operating SystemMicrosoft CorporationDevDispItemProvider.dllMD5=CCDEFAE1F31F9F9AED64686A143D3D0A,SHA256=CF96EB0C3422628398D218152A729221C0F5D09F287E083AE88ECD77DB2C11BC,IMPHASH=B96B407351B4F23871E4087C6E937148trueMicrosoft WindowsValid 734700x80000000000000007989724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.156{3BF36828-E8AA-60DD-F901-00000000C801}4388C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007989723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.781{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\shacct.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Shell Accounts ClassesMicrosoft® Windows® Operating SystemMicrosoft Corporationshacct.dllMD5=6C3405DC9DB5740B6B2AD3AF67031A2E,SHA256=223153AF2A71D3549CCE25D3EAA294DD44471EA8A0733E5AC1EFD7D99D03886E,IMPHASH=F9EDABA9B540C273AC125BA9D119C3AAtrueMicrosoft WindowsValid 734700x80000000000000007989722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.781{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\rtutils.dll10.0.14393.3930 (rs1_release.200901-1914)Routing UtilitiesMicrosoft® Windows® Operating SystemMicrosoft CorporationRTUTILS.DLLMD5=7F8BC94C915BD52D3422C5AD11389CEF,SHA256=68012DC490FEB77A313007FB1C3EC3F158A5C339AE620DC869B192EDAAED545B,IMPHASH=C5AA2478104DB535756B980DF0497145trueMicrosoft WindowsValid 734700x80000000000000007989721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.781{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\rasplap.dll10.0.14393.4283 (rs1_release.210303-1802)RAS PLAP Credential ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationRasCredProvMD5=3F09354D09FC8331BB5F8B1D1ECB4503,SHA256=EA48272DF75B81FC14CFCF7CF2FA11E3CE921E18FD5B1FC475C1231C3CBD520F,IMPHASH=7EB175244ACD110A7447F926DD91F627trueMicrosoft WindowsValid 734700x80000000000000007989720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.140{3BF36828-E8AA-60DD-F901-00000000C801}4388C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007989719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.124{3BF36828-E8AA-60DD-F901-00000000C801}4388C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007989718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.765{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\wlidcredprov.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Account Credential ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationWlidCredProvider.dllMD5=BFDFA8D6CE74D72FC3CAC3E8B6D05FB7,SHA256=172538FF3768FA97A54D4B33B7E3253F568013DF9F8102E023DEFF4CA44B2BBC,IMPHASH=AC43D6C08681C0DFDC982DCBAA555A68trueMicrosoft WindowsValid 734700x80000000000000007989717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.765{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\MSWB7.dll10.0.14393.2791 (rs1_release.190205-1511)MSWB7 DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSWB7.dllMD5=5C7C3EBF7A50560DE37B750F3BB0F2B2,SHA256=227474B4306F6FA4F4A7EC5DAE2E91104BA6A156E31BDAD4B82D2E5426A53729,IMPHASH=A39738A99E764D3F4E439E2498C99B04trueMicrosoft WindowsValid 10341000x80000000000000007989716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.109{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E8AA-60DD-F901-00000000C801}4388C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007989715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.109{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8AA-60DD-F901-00000000C801}4388C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.749{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\certCredProvider.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cert Credential ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationCertCredprovider.dllMD5=5C5920708E3A7386E3FB97F06A1CF6CD,SHA256=2CEBA7FEC4C2DA3384BE80CB70C5AF04F45727BDA3DEF9A79F478B071AB9FC0C,IMPHASH=A01F108876C25B588A60F1407EC75717trueMicrosoft WindowsValid 734700x80000000000000007989713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.749{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\ngckeyenum.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft Passport Key Enumeration ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationngckeyenum.dllMD5=ACF9A79DE065065D9B9F3C060D8FD883,SHA256=72A663ED47F6354E1EF19D6E5D4BC1118B8BF699B9E112E89BBE8DC8B9D83187,IMPHASH=7408E186279579FBFF9DD5099C815B63trueMicrosoft WindowsValid 10341000x80000000000000007989712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.093{3BF36828-DD0B-60DD-0B00-00000000C801}6522840C:\Windows\system32\lsass.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.734{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\BioCredProv.dll10.0.14393.4169 (rs1_release.210107-1130)WinBio Credential ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationBioCredProv.dllMD5=73F8BD8ED7C88C247AE1F8931FE84024,SHA256=50102694895A05D4554A54C775A033664DF7B9E51347F918E2A2FEF2F2B747C0,IMPHASH=01D3BF39F15617F2002037CAEC4CA502trueMicrosoft WindowsValid 734700x80000000000000007989710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.077{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\System32\svchost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007989709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.077{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\System32\svchost.exeC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FE,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x80000000000000007989708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.734{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\StructuredQuery.dll7.0.14393.4169 (rs1_release.210107-1130)Structured QueryWindows® SearchMicrosoft CorporationStructuredQuery.dllMD5=330E02FA330C93B93B477AA2F88C8A3A,SHA256=958A6977B820D04D94C8FD85C23CC62D77F0498BB59A648744E8F43704FD7F26,IMPHASH=870079407DAAD548AC5B3F417EEBB243trueMicrosoft WindowsValid 734700x80000000000000007989707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.718{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\ngccredprov.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Passport Credential ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationngccredprov.dllMD5=5125FB8AD27095A89651EFE26DF82B8F,SHA256=B49A3E4B223B5737ABB834DA077E2F525B8D5A4E7A226134AD23B19BD20DA5B5,IMPHASH=BD5237271CB2F0AA3004D8AC0791F836trueMicrosoft WindowsValid 734700x80000000000000007989706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.702{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\biwinrt.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Background Broker InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationbiwinrt.dllMD5=1774BAC67716351387E5F11635DEED8D,SHA256=74F9B4190CFFADCE3ED3F61D4FD6A4F7CCC6EE0F42E3452D018E8160ECB3BE1F,IMPHASH=518BBC26E9BA87459E80712401FEE077trueMicrosoft WindowsValid 734700x80000000000000007989705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.702{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\Windows.Devices.Enumeration.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.Devices.EnumerationMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Devices.Enumeration.dllMD5=4C62915A0F4A5D426D857C5DEC342AE9,SHA256=371A5B33833D0433F525EF0A0E61B7EFE5F91142F814241AB291C178B055BCB3,IMPHASH=19CB1EC42DBF9C106DE4DE251E31017EtrueMicrosoft WindowsValid 10341000x80000000000000007989704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.046{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1000-00000000C801}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007989703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.046{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007989702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.046{3BF36828-DD0D-60DD-0F00-00000000C801}3442016C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.687{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\facecredentialprovider.dll10.0.14393.4169 (rs1_release.210107-1130)Face Credential ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationFaceCredentialProvider.dllMD5=75568151502F3012E5A0B28D53517B21,SHA256=6CD897692F27AF5291034213CFA48CF0A0517C33A5A23ED270F12DDE98FB32D9,IMPHASH=A57735F3674892C8A813AC842EA6CFAFtrueMicrosoft WindowsValid 734700x80000000000000007989700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.046{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\System32\winlogon.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 10341000x80000000000000007989699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.046{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2de4|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.046{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2dce|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.046{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+57a4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.671{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\cngcredui.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft CNG CredUI ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationcngcredui.dllMD5=FE84C1709B761FFCFA7F4340FA451A65,SHA256=329D2D141C9C0ECC68C12E8B68D0413C396F47C83C85621A410773D8BB1A494C,IMPHASH=9AEED300060E76958D7D2ED9F8BF8EDFtrueMicrosoft WindowsValid 734700x80000000000000007989695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.671{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\credprovs.dll10.0.14393.4169 (rs1_release.210107-1130)Credential ProvidersMicrosoft® Windows® Operating SystemMicrosoft Corporationcredprovs.dllMD5=913EF3B2F5DF7C749774F6FF3B054C11,SHA256=4E3F665593865080E37EA4F3108102FD222C2DECE3841F178EAF29A9CCB59C2C,IMPHASH=4D8C135A6C32D5E52CB9D0ED6F5E66D4trueMicrosoft WindowsValid 10341000x80000000000000007989694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.031{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1000-00000000C801}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007989693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.015{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1000-00000000C801}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007989692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.015{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1000-00000000C801}372C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007989691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.015{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2f9b|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.015{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2f4d|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.015{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+5718|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.015{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+56c4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.015{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\KBDUS.DLL10.0.14393.0 (rs1_release.160715-1616)United States Keyboard LayoutMicrosoft® Windows® Operating SystemMicrosoft Corporationkbdus.dllMD5=974F03FF3BDB6786F890329340E29CFF,SHA256=D02BCC19AB89EE188DD31D17DEBAECDE26CFC0B30B6E5B0CC5889CCC85202E63,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007989686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.671{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\credprovslegacy.dll10.0.14393.4169 (rs1_release.210107-1130)Credential Providers LegacyMicrosoft® Windows® Operating SystemMicrosoft Corporationcredprovslegacy.dllMD5=C54FE5EE50B5B797FFCFCC1B00A0076C,SHA256=2676BC00EB97E8BC4F3052EF09106DA33FA33CECC66D179164B3B2FE9DEFD9F6,IMPHASH=350AE9643284403B93B04574B73914E7trueMicrosoft WindowsValid 10341000x80000000000000007989685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.015{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.015{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.015{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.015{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007989681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.656{3BF36828-E8A9-60DD-F701-00000000C801}1708C:\Windows\System32\LogonUI.exeC:\Windows\System32\SmartcardCredentialProvider.dll10.0.14393.2248 (rs1_release.180427-1804)Windows Smartcard Credential ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationSmartcardCredentialProvider.dllMD5=89F3FE0276D7A31BA02AC3366F964FEE,SHA256=EE1AC8484F240304375600A1B95B64670D660EEC8E3D9F49D7782505D38E28B2,IMPHASH=634A0E8BBEC2A27265F521A876EDBBDAtrueMicrosoft WindowsValid 10341000x80000000000000007989680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.999{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.999{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-E8A8-60DD-F601-00000000C801}4416C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.999{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.999{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.999{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007989675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.999{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015899323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:14.405{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12907DB8CE465FD7803541B05320AB9E,SHA256=9F34A4BDAD10E482B9CE07BA9B13EB07DA801E2A4700AE4BCFBBFF5ABF85885C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007990688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.968{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\ninput.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft Pen and Touch Input ComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationNINPUT.DLLMD5=BF084D22F7064E686F9BBAC541C680B5,SHA256=ED2E99746A98BAB14B5B565E5D3F092143AA2D8BD0CBD08FE047B64AEF5EF440,IMPHASH=ADED91AA394AD8A3D54B5A54F35771D4trueMicrosoft WindowsValid 734700x80000000000000007990687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.984{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30E,IMPHASH=8F811B713271A0FEFA798FB95D523A8BtrueMicrosoft WindowsValid 734700x80000000000000007990686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.984{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\execmodelproxy.dll10.0.14393.0 (rs1_release.160715-1616)ExecModelProxyMicrosoft® Windows® Operating SystemMicrosoft CorporationExecModelProxy.dllMD5=A0251547D09C624F5E0FDFED5F14C834,SHA256=A6E167A77AC44A73323B8FF65E1FA2BAEDC0E092255F81FE041B35D40970FF90,IMPHASH=B1BB7A0B17604581DFBD9AE821306153trueMicrosoft WindowsValid 10341000x80000000000000007990685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.984{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.984{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.937{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\NPSM.dll10.0.14393.4169 (rs1_release.210107-1130)NPSMMicrosoft® Windows® Operating SystemMicrosoft CorporationNPSM.dllMD5=BB4EE5BF5326D3CE8511521CC9C75102,SHA256=EF86C927183D5C1F592C748F5B3A90C6AAB747F6B65A792C852F32C02E8052E4,IMPHASH=F7F4D2DB962FA89A52F2FBA71C05AC2EtrueMicrosoft WindowsValid 734700x80000000000000007990682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.968{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\UIAnimation.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Animation ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationUIAnimation.DLLMD5=7F8B0CD5AB8C3E677B98400A2E7C3A75,SHA256=D49C09FBF9BD077A81CB9DA8DE09D2EB1835BCF5F0153373DCE6B484A0F64227,IMPHASH=BC9606EA9B100715129576DB5908D6A8trueMicrosoft WindowsValid 734700x80000000000000007990681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.937{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007990680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.968{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\d3d10warp.dll10.0.14393.2608 (rs1_release.181024-1742)Direct3D 10 RasterizerMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10Warp.dllMD5=B69F0419A16A616FE2D779EC98CD7FB9,SHA256=2D10B43F2137433E48A009227487C691E312D186691485D33B4FDF90D8423C9D,IMPHASH=E32C7474360C94A9FE5E17141A4AB35FtrueMicrosoft WindowsValid 734700x80000000000000007990679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.968{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\ResourcePolicyClient.dll10.0.14393.3808 (rs1_release.200707-2105)Resource Policy ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationResourcePolicyClient.dllMD5=8FD5FEFE4E020BBC2D95F07BCDC84F71,SHA256=E5E351822CCDEBF81C47C4CA1D5C158E2880C1BD29CA024D163FD9316F3046AE,IMPHASH=E494F732179E765F2CE18BC21CDB1948trueMicrosoft WindowsValid 734700x80000000000000007990678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.937{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\AboveLockAppHost.dll10.0.14393.4169 (rs1_release.210107-1130)AboveLockAppHostMicrosoft® Windows® Operating SystemMicrosoft CorporationAboveLockAppHost.dllMD5=E257DDC7865E2E576601EF0EF6083746,SHA256=B75C68B2123F2AAB6E96E543C87761C5947C4DD3DB42E1817C5986BFB94D79AF,IMPHASH=FBD760CA542017F9CA6E21CAB2CE1EE9trueMicrosoft WindowsValid 734700x80000000000000007990677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.921{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6433F8201BFB449DC6B47F6999C2F164,SHA256=06729F1E0A0596620B48B6DC4A2CC9CC5FE55B17BD488C71F7F15AA4262C8C14,IMPHASH=50E2F760F0B39DC72CAD6892FEDF2F27trueMicrosoft WindowsValid 734700x80000000000000007990676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.952{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\Windows.Networking.Connectivity.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Networking Connectivity Runtime DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Networking.Connectivity.dllMD5=7934F613774F04B5BFD097B3D77F81FB,SHA256=E1A32AADFED0859269C89D4E1C961D3BC8EA2A5FA86487C9817BB52899E0F60E,IMPHASH=A22E7FE596D3FD4304E9006454C5249BtrueMicrosoft WindowsValid 734700x80000000000000007990675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.921{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\NotificationController.dll10.0.14393.4169 (rs1_release.210107-1130)NotificationControllerMicrosoft® Windows® Operating SystemMicrosoft CorporationNotificationController.dllMD5=68D32E7D910E5DB89D61331725E77F58,SHA256=2E2E3CE561CF67A66E5C5C122D791073B73CEFFB7565AB7D28850316F1998C50,IMPHASH=98B21F9AF6FF000B3C94CE9DC60FA53FtrueMicrosoft WindowsValid 734700x80000000000000007990674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.906{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=E996A5D4EA7754FF1B0411F0B1664603,SHA256=B2DA0AC549C551A2CAF0714EF3B344C33943292FB1FA9F2EEFA706B6FF18F1A2,IMPHASH=AC4154F2DB854AC5F42815BCE5C34155trueMicrosoft WindowsValid 734700x80000000000000007990673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.859{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\winsqlite3.dll3.12.2SQLite is a software library that implements a self-contained, serverless, zero-configuration, transactional SQL database engine.SQLiteSQLite Development Team-MD5=96C4CBD3C8DF0FA34591FEE057AF3E1F,SHA256=C545B9FE35631FBEF55D46AAB58896523E13CF500A5E95D97928CF2F942E185A,IMPHASH=0A0CDE8F2734C0D93346681891F0CC0FtrueMicrosoft Windows 3rd party ComponentValid 734700x80000000000000007990672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.921{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x80000000000000007990671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.921{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x80000000000000007990670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.921{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x80000000000000007990669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.921{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x80000000000000007990668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.921{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007990667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.859{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007990666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.859{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007990665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.859{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\wpncore.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Push Notification CoreMicrosoft® Windows® Operating SystemMicrosoft Corporationwpncore.dllMD5=7069B367F9FA78FD9C99685C17ABE6B0,SHA256=F697D307353A2F09D2BA7591F0B0CB77B237EBE3CD56CFBB7FCC6F2E43E4B4FD,IMPHASH=208B84EF08A78D65FB516C9E26F2A7EEtrueMicrosoft WindowsValid 734700x80000000000000007990664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.843{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\ApplicationFrame.dll10.0.14393.4169 (rs1_release.210107-1130)Application FrameMicrosoft® Windows® Operating SystemMicrosoft CorporationApplicationFrame.dllMD5=105AD61AE707DEBEDD67245C65C32CDB,SHA256=09E38AFC2074AC37A9E0E97E633A7A647CD1DAEB5AA3573B10D68FEAA722F91F,IMPHASH=EC83155797F9BD06F85A11FB2604A094trueMicrosoft WindowsValid 10341000x80000000000000007990663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.874{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.874{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.874{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 734700x80000000000000007990660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.812{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\twinui.pcshell.dll10.0.14393.4169 (rs1_release.210107-1130)Twinui.PCShellMicrosoft® Windows® Operating SystemMicrosoft CorporationTwinui.PCShell.dllMD5=636C20A1D5CA677307D940F2D0CF44DB,SHA256=A949C5CA618DD9BE68DC9E83A65272C87193D10FF866DC5B600E576146E09B5E,IMPHASH=2EAD1C7522253A9857E83E7A848DD5A7trueMicrosoft WindowsValid 734700x80000000000000007990659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.859{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007990658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.859{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843,IMPHASH=EAA4328F5E33714FA08C71E4AAE43CC1trueMicrosoft WindowsValid 734700x80000000000000007990657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.859{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4,IMPHASH=B6A1A16A2B5E910045E998CD7709E966trueMicrosoft WindowsValid 734700x80000000000000007990656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.859{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\cdp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft (R) CDP Client APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCDP.dllMD5=97BCD0CFB8C9A7133688C1683B8BB049,SHA256=A4DCBC842B5D97DBE298130BA97D329085B992F15B9FC4C2F78871826618CD80,IMPHASH=BA9A45255BAE8B363B6B657A12E44278trueMicrosoft WindowsValid 734700x80000000000000007990655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.859{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\urlmon.dll11.00.14393.4402 (rs1_release.210426-1725)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=3562767F9C1D8359A735D4F64A9733F5,SHA256=7E60D82C417779D316000AD376BE9BA2CD14728616F35289E34E47CC6839620B,IMPHASH=198DE5B70ABFFE7B73AD088D655B26D1trueMicrosoft WindowsValid 734700x80000000000000007990654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.859{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\winhttp.dll10.0.14393.4169 (rs1_release.210107-1130)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=24995B62FFC2519B34A2145673BD275F,SHA256=BB7D4DE1BE6111462F65F999A8969DA04113F15A80D534A93D3CCC76A9FE1F22,IMPHASH=F1FC6BF3699C289EBAF914A7771E49CDtrueMicrosoft WindowsValid 734700x80000000000000007990653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.765{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\windows.immersiveshell.serviceprovider.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.ImmersiveShell.ServiceProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.ImmersiveShell.ServiceProvider.dllMD5=5893EE6BCE3F7C81C56E6DC24A72AC19,SHA256=668EF6593A9F536EDB4C0847186087BC26AB0177AD133866027152540AEEFA0F,IMPHASH=AA285E59F122BEFCB48E4297767D2FA1trueMicrosoft WindowsValid 734700x80000000000000007990652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.765{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\thumbcache.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Thumbnail CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationthumbcache.dllMD5=C146766884A92B154F2EB38463F2263D,SHA256=48C5CC7760187EDB140A904D3AC5FD24F740973CDBA07962047859F84E7BEB9C,IMPHASH=428FE673E24F7848BECF2BA2271A839AtrueMicrosoft WindowsValid 734700x80000000000000007990651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.843{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x80000000000000007990650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.843{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\Windows.UI.Immersive.dll10.0.14393.4283 (rs1_release.210303-1802)WINDOWS.UI.IMMERSIVEMicrosoft® Windows® Operating SystemMicrosoft CorporationWINDOWS.UI.IMMERSIVE.dllMD5=4331AC493E264AF1378E0082194D07A5,SHA256=81B8E123110B9C7A34957B9176791AD86EA874315D4555FDC85CF20975E08D99,IMPHASH=C0750252600F63F4BA1D73794E8FE8C0trueMicrosoft WindowsValid 734700x80000000000000007990649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.749{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\twinui.dll10.0.14393.4169 (rs1_release.210107-1130)TWINUIMicrosoft® Windows® Operating SystemMicrosoft CorporationTWINUI.dllMD5=7F1F1B63C8AA1D6EA1057589ECF0AC12,SHA256=4E20B33E2E951359C9FEBD1EE66A2B24E5BAACB0C6CFF5E3543CAAB00C99AA91,IMPHASH=B98A56301D4EF217B14C24D92F13B2B4trueMicrosoft WindowsValid 734700x80000000000000007990648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.843{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\CoreUIComponents.dll-----MD5=938961BA199F9626C72673E8D67A0D56,SHA256=92414B7F78A45D4DE494F3283B2A33A1F422E32F73C1733AA9071EE0B89ADC5E,IMPHASH=E1E6E93CD96B5C1875509E930B2B8C21trueMicrosoft WindowsValid 734700x80000000000000007990647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.843{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\d2d1.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft D2D LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationd2d1MD5=E15A420D82314AF63973D7D0AB3BA2DD,SHA256=C264B2FA1F3E67E558E2671807C06270926EF456F4FF83F1F9859B18184F187E,IMPHASH=5F8C6AF7D0781F35A516AEB072DAD045trueMicrosoft WindowsValid 734700x80000000000000007990646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.812{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\twinui.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)TWINUI.APPCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationTWINUI.APPCORE.dllMD5=6DC89814533DB3F3EDAABEEAA2971D7C,SHA256=5606E78F5C86AFD607E6571108710B1E9A248D9109EDA100D53821514192DE20,IMPHASH=7EC3400A2CC8697642592FCB9208B932trueMicrosoft WindowsValid 10341000x80000000000000007990645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.812{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.812{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.812{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\sppc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationsppc.dllMD5=7CF84329545035CC0833119C7268A620,SHA256=49E3FA8B9F9ACB1A2CEDE37970361316C93286CEE7F70DE5985E7135498A4210,IMPHASH=BC4A2B9355432144727A5322381AB386trueMicrosoft WindowsValid 734700x80000000000000007990642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.812{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\slc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationslc.dllMD5=060E11DCB875D981E948073986E295DC,SHA256=30858EA58F24537CC3369091F92AD70C59877BDB1FDF8DEC7762A7AB72DDE885,IMPHASH=70AAA0F56F084D1AE09EB5CD51B268ECtrueMicrosoft WindowsValid 10341000x80000000000000007990641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.796{3BF36828-E8AA-60DD-0002-00000000C801}21363752C:\Windows\system32\taskhostw.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.796{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.796{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.796{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570,IMPHASH=2E790E44628AED89C2CC17E1E4A5CE1CtrueMicrosoft WindowsValid 734700x80000000000000007990637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.796{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=D8CD8451D1E194230F18866AD6EFE5E7,SHA256=9977AA1287962035C24DF806DDA67F09FFE9BDF696DBA507D749C624AE1C178D,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x80000000000000007990636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.796{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4,IMPHASH=334E5331674424695F9872596E2677C7trueMicrosoft WindowsValid 10341000x80000000000000007990635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.781{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.781{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.781{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.781{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.781{3BF36828-DD0D-60DD-0F00-00000000C801}3443548C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\shsvcs.dll+11f99|c:\windows\system32\shsvcs.dll+11ba6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000007990630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.781{3BF36828-DD0D-60DD-0F00-00000000C801}3443548C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x101068C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\shsvcs.dll+11f27|c:\windows\system32\shsvcs.dll+11ba6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000007990629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.781{3BF36828-E8AA-60DD-0002-00000000C801}21363752C:\Windows\system32\taskhostw.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.781{3BF36828-E8AA-60DD-0002-00000000C801}21363752C:\Windows\system32\taskhostw.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.765{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AE,IMPHASH=52045AC79DBE663F06AB7C9717524D40trueMicrosoft WindowsValid 734700x80000000000000007990626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.577{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\ExplorerFrame.dll10.0.14393.4169 (rs1_release.210107-1130)ExplorerFrameMicrosoft® Windows® Operating SystemMicrosoft CorporationExplorerFrame.dllMD5=BB0850797E5D50E70FFB3FFCEBFE77A9,SHA256=042F69100AAEB04CF79872035422A033FB87F2F0113EE89AB6B61FFA41A224D8,IMPHASH=BE381F028EB6D274783D5F8AA4F3DCECtrueMicrosoft WindowsValid 734700x80000000000000007990625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.624{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BF,IMPHASH=B74E4EE6BBCE405BE73914241C9AF2C8trueMicrosoft WindowsValid 734700x80000000000000007990624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.546{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\System32\svchost.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007990623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.577{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\Windows.UI.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Runtime UI Foundation DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.dllMD5=FEC31833E8D13591BAECE59B8E39F53C,SHA256=424BAEA0DC8EF34305A881F9B36F22E8CFECA403A0D03B61782D69535387A401,IMPHASH=B073DE28C43175420FE754415439CCEAtrueMicrosoft WindowsValid 734700x80000000000000007990622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.515{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\System32\svchost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x80000000000000007990621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.577{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\StateRepository.Core.dll10.0.14393.4169 (rs1_release.210107-1130)StateRepository CoreMicrosoft® Windows® Operating SystemMicrosoft CorporationStateRepository.Core.dllMD5=94299201E0B602E4692F61C5A46E32D9,SHA256=D343410FB20D88B74BF661CACADBBD913034D02410A826A84D60B2B66A95A862,IMPHASH=53CA7FAF1CEDFB0EC8CCD763B974D4A1trueMicrosoft WindowsValid 734700x80000000000000007990620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.577{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\Windows.StateRepository.dll10.0.14393.4169 (rs1_release.210107-1130)Windows StateRepository API ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.StateRepository.dllMD5=8F4457905D80A520C684CA48F807C268,SHA256=623299C57C3148EB7B8EE0FE22F2E8A4C7A41712A87D43074E56643BEB84C06A,IMPHASH=A28EA9ED587BD4511849B7BB44021022trueMicrosoft WindowsValid 734700x80000000000000007990619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.515{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\System32\svchost.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x80000000000000007990618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.562{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\System32\svchost.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 734700x80000000000000007990617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.515{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\DataExchange.dll10.0.14393.4169 (rs1_release.210107-1130)Data exchangeMicrosoft® Windows® Operating SystemMicrosoft CorporationDataExchange.dllMD5=23F499FA8F8E02A8090FB78E80617BDD,SHA256=08C2E505F3765D98379BB88DC8AD5555AB680A691054933FCA1A2CFCDFA42F51,IMPHASH=05056B92E29CCE6F97F9C6674AE080C0trueMicrosoft WindowsValid 734700x80000000000000007990616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.421{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\oleacc.dll7.2.14393.4169 (rs1_release.210107-1130)Active Accessibility Core ComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEACC.DLLMD5=1B04659F0A22BFE9142B6AD36467ACEA,SHA256=67BC7C19D71FB98A7B5882B0F2BFC8F2E4491B4ACBE23EE545D54FFCAEC808E9,IMPHASH=427F18493D540CBF4092BD07A97BE51FtrueMicrosoft WindowsValid 10341000x80000000000000007990615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.531{3BF36828-DD0B-60DD-0B00-00000000C801}6522840C:\Windows\system32\lsass.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.531{3BF36828-DD0B-60DD-0B00-00000000C801}6522840C:\Windows\system32\lsass.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.531{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\System32\svchost.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 10341000x80000000000000007990612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.515{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.515{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.515{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.515{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.515{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\System32\svchost.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570,IMPHASH=2E790E44628AED89C2CC17E1E4A5CE1CtrueMicrosoft WindowsValid 734700x80000000000000007990607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.515{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\System32\svchost.exeC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BAB,IMPHASH=AD7CEB919D43FA2BD394EC803EB6BCDAtrueMicrosoft WindowsValid 734700x80000000000000007990606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.406{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\MMDevAPI.dll10.0.14393.4169 (rs1_release.210107-1130)MMDevice APIMicrosoft® Windows® Operating SystemMicrosoft CorporationMMDevAPI.DllMD5=CF179D8A655703FDD273891432EBF588,SHA256=722863E48713AEDC9E7EA95C181CAAA389B147BCE51A7E815F0D4189AF92B6E8,IMPHASH=A9DFEC2D392C78A08CC45D2B95165EEAtrueMicrosoft WindowsValid 734700x80000000000000007990605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.515{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\WindowsCodecs.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B791899A46FD151559658F4F86C3C6F5,SHA256=E559B36A3CC2261C16916F2D49FA351DC4E21E5EC581AC43547ABA16F70CDA7E,IMPHASH=945C5ACF3D7F6243AD6374B1152227D8trueMicrosoft WindowsValid 734700x80000000000000007990604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.515{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\dxgi.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3C32D763740C83DB2C44DEA4B6F18C54,SHA256=ED26DBB9C3656767CA25887CDC3B45CF978AFC75E064FF5457A36C7A69E55223,IMPHASH=83736A76214A92F5C1B53248D0C22863trueMicrosoft WindowsValid 734700x80000000000000007990603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.515{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\d3d11.dll10.0.14393.4169 (rs1_release.210107-1130)Direct3D 11 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D11.dllMD5=EDCE49E7FDE3BD70DF70F05B8C47ACD4,SHA256=864EC8827EB03CDF7F2FC5E318283A7835E600CE548590C59E1DCF8BF8112089,IMPHASH=460DAE5CA92CB705C37D78BE630D6120trueMicrosoft WindowsValid 734700x80000000000000007990602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.515{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\dcomp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft DirectComposition LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdcomp.dllMD5=40873566DBFF13981CA1AE23AC281C5D,SHA256=E52C4619C837358454B969D31E2E14ACDEDABB384272D48C03E4F0AF9A2C2B6E,IMPHASH=9651C547656809410E78B358203C1A1DtrueMicrosoft WindowsValid 734700x80000000000000007990601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.374{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\SndVolSSO.dll10.0.14393.4169 (rs1_release.210107-1130)SCA VolumeMicrosoft® Windows® Operating SystemMicrosoft CorporationSndVolSSO.dllMD5=D8CF929E136799B0A91C3570EA3C2F26,SHA256=65710C8A0C0E73B0288030D59BFFABBDA0962382188AB2D4B43CB503D1F80DFA,IMPHASH=1264A858AC5CA0DD6A936B66C05E26A4trueMicrosoft WindowsValid 734700x80000000000000007990600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.374{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x80000000000000007990599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.359{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\SettingSyncPolicy.dll10.0.14393.4169 (rs1_release.210107-1130)SettingSync PolicyMicrosoft® Windows® Operating SystemMicrosoft CorporationSettingSyncPolicy.dllMD5=7C62037A18CD85FED55C333C447FCCEE,SHA256=2C6B281633A457CCF79590DB75D380AE5E833CC615CF75CD4C546ACE2E6346C9,IMPHASH=6E6B6D54B6D3C8A67065FB7BE1F0C595trueMicrosoft WindowsValid 734700x80000000000000007990598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.312{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\wlidprov.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Account ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationWlidProv.dllMD5=A384CD621A7F6CD8BCF9588341AEF9AD,SHA256=9D335F7580DDB52A917BF32247FA1EEFB28B51EE333C692BFF59270F4954CCBC,IMPHASH=2608294CE070F50A913F1D543080089AtrueMicrosoft WindowsValid 734700x80000000000000007990597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.296{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\SharedStartModel.dll10.0.14393.4169 (rs1_release.210107-1130)Shared Start Model InProc ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationSharedStartModel.dllMD5=1ED630477E6FEFE3C7722FDBA69D905F,SHA256=96846D692A680859F229E9E8BA01A04DB81808871F61E1D1674919DBCF333287,IMPHASH=D57A6858D1CBDF14F3CE8801F944C825trueMicrosoft WindowsValid 734700x80000000000000007990596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007990595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007990594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.452{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\vaultcli.dll10.0.14393.4169 (rs1_release.210107-1130)Credential Vault Client LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationvaultcli.dllMD5=3A4413FEB384CA47420B1A7CB9099BF0,SHA256=338D718FF68D1ACF8AFC366E923B44128E821DDD50A9C282A5F55502BAF288FA,IMPHASH=E0B17C1B749544B11E7164BC8880263EtrueMicrosoft WindowsValid 734700x80000000000000007990593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007990592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007990591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.202{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007990590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007990589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.202{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\SettingSyncCore.dll10.0.14393.4169 (rs1_release.210107-1130)Setting Synchronization CoreMicrosoft® Windows® Operating SystemMicrosoft CorporationSettingSyncCore.dllMD5=BF1D9E709DFCFF1C9855C6A1DDEE9526,SHA256=D7A094475C699A8FE4065C7F13FF0636C022E9208A78AB19AC9B313E288F075E,IMPHASH=E3A3C649F9D531C55CB08E5D145FD21BtrueMicrosoft WindowsValid 734700x80000000000000007990588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\SettingSyncCore.dll10.0.14393.4169 (rs1_release.210107-1130)Setting Synchronization CoreMicrosoft® Windows® Operating SystemMicrosoft CorporationSettingSyncCore.dllMD5=BF1D9E709DFCFF1C9855C6A1DDEE9526,SHA256=D7A094475C699A8FE4065C7F13FF0636C022E9208A78AB19AC9B313E288F075E,IMPHASH=E3A3C649F9D531C55CB08E5D145FD21BtrueMicrosoft WindowsValid 734700x80000000000000007990587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.406{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=5541A4A7FB64063F8AFB192ABD4DAE70,SHA256=AABF2E6C392F29B77F076BF705976B68B3100138BC63060335BD154B8417754D,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x80000000000000007990586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.406{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x80000000000000007990585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.187{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\twinapi.dll10.0.14393.4169 (rs1_release.210107-1130)twinapiMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.dllMD5=40E4471EAFBC1AB4D40288BF005AB895,SHA256=E93454095918346B3426D55704F02DF6FBB1B840BF969CE619E3F10BA0AC9A44,IMPHASH=BE2A18E7131BB697F5E7CE37E2AEC582trueMicrosoft WindowsValid 734700x80000000000000007990584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\twinapi.dll10.0.14393.4169 (rs1_release.210107-1130)twinapiMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.dllMD5=40E4471EAFBC1AB4D40288BF005AB895,SHA256=E93454095918346B3426D55704F02DF6FBB1B840BF969CE619E3F10BA0AC9A44,IMPHASH=BE2A18E7131BB697F5E7CE37E2AEC582trueMicrosoft WindowsValid 734700x80000000000000007990583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.187{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007990582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007990581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.187{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007990580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007990579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.187{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007990578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007990577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.187{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007990576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007990575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.374{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\UserMgrProxy.dll10.0.14393.4283 (rs1_release.210303-1802)UserMgrProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationusermgrproxy.dllMD5=AF3700CF9AAABABA08470416F00B7036,SHA256=8F1595F1AF0DECA3FBAE25E8FC2409ABC9C976EE2BB5B567B0E2FD33CBF4F22C,IMPHASH=F199335708837C17195EBB8AF4E3B0EFtrueMicrosoft WindowsValid 734700x80000000000000007990574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.187{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007990573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007990572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.999{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\explorer.exe10.0.14393.4169 (rs1_release.210107-1130)Windows ExplorerMicrosoft® Windows® Operating SystemMicrosoft CorporationEXPLORER.EXEMD5=F7FDECA990692D53D7E4E396B0BD711E,SHA256=1F955612E7DB9BB037751A89DAE78DFAF03D7C1BCC62DF2EF019F6CFE6D1BBA7,IMPHASH=8D2880102609AA4B23679BD4FEBEBC95trueMicrosoft WindowsValid 10341000x80000000000000007990571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.374{3BF36828-E8AA-60DD-FC01-00000000C801}34883928C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61acc|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 734700x80000000000000007990570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.234{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\explorer.exe10.0.14393.4169 (rs1_release.210107-1130)Windows ExplorerMicrosoft® Windows® Operating SystemMicrosoft CorporationEXPLORER.EXEMD5=F7FDECA990692D53D7E4E396B0BD711E,SHA256=1F955612E7DB9BB037751A89DAE78DFAF03D7C1BCC62DF2EF019F6CFE6D1BBA7,IMPHASH=8D2880102609AA4B23679BD4FEBEBC95trueMicrosoft WindowsValid 10341000x80000000000000007990569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.374{3BF36828-E8AA-60DD-FC01-00000000C801}34883928C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61acc|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 734700x80000000000000007990568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.374{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\OneCoreCommonProxyStub.dll10.0.14393.2395 (rs1_release_inmarket.180714-1932)OneCore Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreCommonProxyStub.dllMD5=02CEC1566FB0709923FF7A9FEC254D96,SHA256=81BED60AEB79C489E9F79996A3F0AB626E6CA247EBB656B6B9897C47A39F6AFB,IMPHASH=69A8B7E9F373278F52FE45A83CE3A380trueMicrosoft WindowsValid 734700x80000000000000007990567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.359{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BAB,IMPHASH=AD7CEB919D43FA2BD394EC803EB6BCDAtrueMicrosoft WindowsValid 734700x80000000000000007990566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.359{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\tokenbinding.dll10.0.14393.2363 (rs1_release.180625-1741)Token Binding ProtocolMicrosoft® Windows® Operating SystemMicrosoft Corporationtokenbinding.dllMD5=8AD65F608FD6964085B365A43F8DBEA4,SHA256=E088353C88877763D4E5BB6EB7FB55C81908DF639A9AF89EECA546FD9EDB18DE,IMPHASH=EDBDD2E193CED10C0D380B250BFC13C5trueMicrosoft WindowsValid 734700x80000000000000007990565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.359{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\TokenBroker.dll10.0.14393.4169 (rs1_release.210107-1130)Token BrokerMicrosoft® Windows® Operating SystemMicrosoft CorporationTokenBroker.dllMD5=9ECF3BE652A6FF4B5C4744697FDDABA2,SHA256=00DF6190CBF64C8840C1B9068A844D4A6584E6D82C8C6FD78CFDB10184F815C7,IMPHASH=F91C8ACC62DFD3D725FAC2A0CBB6AA8FtrueMicrosoft WindowsValid 734700x80000000000000007990564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.359{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\WinTypes.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=AAA321C636929D23C58B5A78EDA04B61,SHA256=E33D62CC132B8D790B3604DBE227CD2A270E30C1B71881BB4E3B00732CE56E5C,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 734700x80000000000000007990563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.359{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\policymanager.dll10.0.14393.4169 (rs1_release.210107-1130)Policy Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPolicyManager.dllMD5=58677E3FBF7D29109E8EB578062F1C81,SHA256=F751521EBC10CC1F0BC6AAB2715B9169439A014F178A7D6880080567D880C103,IMPHASH=E1BC13C6E7766D0332C0420A512C2799trueMicrosoft WindowsValid 734700x80000000000000007990562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.359{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\BCP47Langs.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)BCP47 Language ClassesMicrosoft® Windows® Operating SystemMicrosoft CorporationBCP47Lang.dllMD5=F688C2B9DD2EB56C3B0312B6380338AA,SHA256=B22DB210486D3B5F4EEB17900C5E7AA0EEFEDBB068A0C4858EFE9F8018C34628,IMPHASH=31EA1856BC7597303D8126028BBFDFB8trueMicrosoft WindowsValid 734700x80000000000000007990561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.937{3BF36828-E8AA-60DD-0402-00000000C801}2060C:\Windows\System32\userinit.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007990560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.999{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007990559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007990558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.937{3BF36828-E8AA-60DD-0402-00000000C801}2060C:\Windows\System32\userinit.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007990557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.999{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007990556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007990555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.937{3BF36828-E8AA-60DD-0402-00000000C801}2060C:\Windows\System32\userinit.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007990554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.999{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007990553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007990552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.937{3BF36828-E8AA-60DD-0402-00000000C801}2060C:\Windows\System32\userinit.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007990551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.999{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007990550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007990549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.312{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\IDStore.dll10.0.14393.4169 (rs1_release.210107-1130)Identity StoreMicrosoft® Windows® Operating SystemMicrosoft CorporationIdStore.dllMD5=C361C32146F8C2E67168CFC076DBBF55,SHA256=D27DC85DE98B5C85AAAEEE1FC2EBE0F92B53F82F35F0AC6A49ADAE83456C0740,IMPHASH=E5FDBED6A52D2B5010634A77EC08AD4DtrueMicrosoft WindowsValid 10341000x80000000000000007990548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.312{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.312{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.921{3BF36828-E8AA-60DD-0402-00000000C801}2060C:\Windows\System32\userinit.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007990545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.999{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007990544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.296{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\msvcp110_win.dll10.0.14393.2007 (rs1_release.171231-1800)Microsoft® STL110 C++ Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp110_win.dllMD5=BFB390484F611C21582AD11E4C6ADEF2,SHA256=30B5AD268C022FCA2AACAE2CB6E4DC36F6A01C16A006046BB4417CEA96DA4F5A,IMPHASH=80A56C2FEE02149B4E326F9A62FF4B12trueMicrosoft WindowsValid 734700x80000000000000007990543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.234{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007990542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.296{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\CoreMessaging.dll10.0.14393.3930Microsoft CoreMessaging DllMicrosoft® Windows® Operating SystemMicrosoft CorporationCoreMessaging.dllMD5=3D9D2F367587B2E93F2868F52D4ACBDD,SHA256=B4B27A7D4B9B685B6015D090B6A3E0E578AFBDE8D6C06A8F2E606A439D5A4BA4,IMPHASH=92CA7117B99353AC45978E95EEB5A46DtrueMicrosoft WindowsValid 734700x80000000000000007990541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.296{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\VEEventDispatcher.dll10.0.14393.4169 (rs1_release.210107-1130)Visual Element Event dispatcherMicrosoft® Windows® Operating SystemMicrosoft CorporationVEEventDispatcher.dllMD5=7A89C3B780AD83BD07097E1562C8C2A4,SHA256=A2E4969569F4A963A6F02827480634480817BC00A52C5BB96BD6FC6D9BE54B2A,IMPHASH=68182A73D7878DB2056CBA31DAA3CEFCtrueMicrosoft WindowsValid 734700x80000000000000007990540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.296{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x80000000000000007990539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.921{3BF36828-E8AA-60DD-0402-00000000C801}2060C:\Windows\System32\userinit.exeC:\Windows\System32\userinitext.dll10.0.14393.0 (rs1_release.160715-1616)UserInit Utility Extension DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationUserInitExt.DLLMD5=ECC70E1A68A571D38486EBC3783450D7,SHA256=93222B0150884378089B65411755D7118CCD93B6B899445EDADBA9805E89FC06,IMPHASH=D30139E3B323E9571037CA02BB6DAD8DtrueMicrosoft WindowsValid 734700x80000000000000007990538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.921{3BF36828-E8AA-60DD-0402-00000000C801}2060C:\Windows\System32\userinit.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007990537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.999{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007990536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.234{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007990535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.281{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 734700x80000000000000007990534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.281{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 734700x80000000000000007990533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.921{3BF36828-E8AA-60DD-0402-00000000C801}2060C:\Windows\System32\userinit.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007990532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.999{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007990531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.234{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007990530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.921{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AE,IMPHASH=52045AC79DBE663F06AB7C9717524D40trueMicrosoft WindowsValid 734700x80000000000000007990529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.265{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x80000000000000007990528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.921{3BF36828-E8AA-60DD-0402-00000000C801}2060C:\Windows\System32\userinit.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007990527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.999{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007990525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.234{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007990524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007990523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8,IMPHASH=BC8DDE4D2412D48001350313FD2B7840trueMicrosoft WindowsValid 10341000x80000000000000007990522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-DD0D-60DD-0F00-00000000C801}3443548C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-DD0D-60DD-0F00-00000000C801}3441364C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x80000000000000007990519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FE,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x80000000000000007990518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 734700x80000000000000007990517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 734700x80000000000000007990516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x80000000000000007990515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x80000000000000007990514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\MrmCoreR.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows MRMMicrosoft® Windows® Operating SystemMicrosoft CorporationMrmCore.dllMD5=D730B5700BEB4A7E6E4244684356739C,SHA256=26083BEB490E48F5711D69A0E597B7A4CC6FB4B31EDCD535A0FF0DFBE4E6F8DD,IMPHASH=462A9FA6F44F25C68798F197AC8EC9D9trueMicrosoft WindowsValid 734700x80000000000000007990513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x80000000000000007990512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x80000000000000007990511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x80000000000000007990510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007990509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x80000000000000007990508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x80000000000000007990507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x80000000000000007990506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 734700x80000000000000007990505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x80000000000000007990504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x80000000000000007990503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007990502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007990501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.921{3BF36828-E8AA-60DD-0402-00000000C801}2060C:\Windows\System32\userinit.exeC:\Windows\System32\userinit.exe10.0.14393.0 (rs1_release.160715-1616)Userinit Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationUSERINIT.EXEMD5=C1B1FFC800BE2F31EB2CF8CB40629C69,SHA256=CFC6A18FC8FE7447ECD491345A32F0F10208F114B70A0E9D1CD72F6070D5B36F,IMPHASH=BFA137B16F3492AFCA0551687B067C04trueMicrosoft WindowsValid 10341000x80000000000000007990500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.234{3BF36828-E8A8-60DD-F501-00000000C801}2576416C:\Windows\system32\csrss.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007990499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.234{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.234{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.234{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.234{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.234{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007990494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.234{3BF36828-DD0D-60DD-0F00-00000000C801}3443548C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+acf0|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.906{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\container.dll10.0.14393.4225 (rs1_release.210127-1811)Windows ContainersMicrosoft® Windows® Operating SystemMicrosoft Corporationcontainer.dllMD5=0ACF5208642FDC2A4453E7ACADDC1994,SHA256=7B8C835C5000AB363302543802E0A277F27507BCBCD28E3703AB799442CD5D6E,IMPHASH=BE855C2B044D94EFF7A6ED6DA9D0C639trueMicrosoft WindowsValid 10341000x80000000000000007990492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.234{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000007990491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localT10532021-07-01 16:09:15.234{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\CreateExplorerShellUnelevatedTask2021-06-03 19:02:43.913 734700x80000000000000007990490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.218{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x80000000000000007990489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.906{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 23542300x80000000000000007990488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.218{3BF36828-DD0D-60DD-0F00-00000000C801}344NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\CreateExplorerShellUnelevatedTaskMD5=A0993ADE62E1EC5EF5EC212EB77CA47B,SHA256=ACBA4EC761320E76B24FBD0ABBDC294E00C48FF0B6574874F331E8295EA92DA9,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007990487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.906{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\daxexec.dll10.0.14393.4283 (rs1_release.210303-1802)daxexecMicrosoft® Windows® Operating SystemMicrosoft Corporationdaxexec.dllMD5=0060666493A73BB0A17028677DBF57E4,SHA256=F4A5C39315AD92024405DAABB8BF451382C638469DD99862002CFCB6FB966EA4,IMPHASH=24D7F4E3B2BE6E9BB767B929A9AFD435trueMicrosoft WindowsValid 10341000x80000000000000007990486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.218{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.218{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.218{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\taskschd.dll10.0.14393.4402 (rs1_release.210426-1725)Task Scheduler COM APIMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskschd.dllMD5=76BF5CA81C749140E05C7519B13B299E,SHA256=D5CBDB2EEE67E582198F9DB213EC95DF9107F08D646E67FFA723066CC434B515,IMPHASH=2C7BF5CADC559377391AFDF385763E3CtrueMicrosoft WindowsValid 734700x80000000000000007990483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.202{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x80000000000000007990482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.890{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\twinui.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)TWINUI.APPCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationTWINUI.APPCORE.dllMD5=6DC89814533DB3F3EDAABEEAA2971D7C,SHA256=5606E78F5C86AFD607E6571108710B1E9A248D9109EDA100D53821514192DE20,IMPHASH=7EC3400A2CC8697642592FCB9208B932trueMicrosoft WindowsValid 734700x80000000000000007990481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.202{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x80000000000000007990480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.202{3BF36828-DD0D-60DD-0F00-00000000C801}3442296C:\Windows\system32\svchost.exe{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.202{3BF36828-DD0D-60DD-0F00-00000000C801}3441364C:\Windows\system32\svchost.exe{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.202{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x80000000000000007990477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.890{3BF36828-DD0D-60DD-1200-00000000C801}396C:\Windows\System32\svchost.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007990476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.874{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\Windows.System.Launcher.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.System.LauncherMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.System.Launcher.dllMD5=384379949D62C818AF52A5DE919A62FD,SHA256=21F85FFD4DD9A61088194F9A416ED1496EE781033D1A23E69893EAC583C72B68,IMPHASH=2FCCF9E601F23A043E51DA1E837A3065trueMicrosoft WindowsValid 734700x80000000000000007990475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.187{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FE,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x80000000000000007990474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.187{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 734700x80000000000000007990473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.187{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 734700x80000000000000007990472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.187{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x80000000000000007990471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.187{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x80000000000000007990470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.187{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x80000000000000007990469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.187{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\MrmCoreR.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows MRMMicrosoft® Windows® Operating SystemMicrosoft CorporationMrmCore.dllMD5=D730B5700BEB4A7E6E4244684356739C,SHA256=26083BEB490E48F5711D69A0E597B7A4CC6FB4B31EDCD535A0FF0DFBE4E6F8DD,IMPHASH=462A9FA6F44F25C68798F197AC8EC9D9trueMicrosoft WindowsValid 734700x80000000000000007990468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.187{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x80000000000000007990467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.187{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x80000000000000007990466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.187{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007990465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.187{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x80000000000000007990464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.187{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x80000000000000007990463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.187{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x80000000000000007990462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.171{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 734700x80000000000000007990461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.874{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\policymanager.dll10.0.14393.4169 (rs1_release.210107-1130)Policy Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPolicyManager.dllMD5=58677E3FBF7D29109E8EB578062F1C81,SHA256=F751521EBC10CC1F0BC6AAB2715B9169439A014F178A7D6880080567D880C103,IMPHASH=E1BC13C6E7766D0332C0420A512C2799trueMicrosoft WindowsValid 734700x80000000000000007990460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.859{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\execmodelproxy.dll10.0.14393.0 (rs1_release.160715-1616)ExecModelProxyMicrosoft® Windows® Operating SystemMicrosoft CorporationExecModelProxy.dllMD5=A0251547D09C624F5E0FDFED5F14C834,SHA256=A6E167A77AC44A73323B8FF65E1FA2BAEDC0E092255F81FE041B35D40970FF90,IMPHASH=B1BB7A0B17604581DFBD9AE821306153trueMicrosoft WindowsValid 734700x80000000000000007990459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.874{3BF36828-DD0C-60DD-0C00-00000000C801}864C:\Windows\System32\svchost.exeC:\Windows\System32\execmodelproxy.dll10.0.14393.0 (rs1_release.160715-1616)ExecModelProxyMicrosoft® Windows® Operating SystemMicrosoft CorporationExecModelProxy.dllMD5=A0251547D09C624F5E0FDFED5F14C834,SHA256=A6E167A77AC44A73323B8FF65E1FA2BAEDC0E092255F81FE041B35D40970FF90,IMPHASH=B1BB7A0B17604581DFBD9AE821306153trueMicrosoft WindowsValid 734700x80000000000000007990458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.890{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\execmodelproxy.dll10.0.14393.0 (rs1_release.160715-1616)ExecModelProxyMicrosoft® Windows® Operating SystemMicrosoft CorporationExecModelProxy.dllMD5=A0251547D09C624F5E0FDFED5F14C834,SHA256=A6E167A77AC44A73323B8FF65E1FA2BAEDC0E092255F81FE041B35D40970FF90,IMPHASH=B1BB7A0B17604581DFBD9AE821306153trueMicrosoft WindowsValid 734700x80000000000000007990457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.890{3BF36828-DD0D-60DD-1200-00000000C801}396C:\Windows\System32\svchost.exeC:\Windows\System32\execmodelproxy.dll10.0.14393.0 (rs1_release.160715-1616)ExecModelProxyMicrosoft® Windows® Operating SystemMicrosoft CorporationExecModelProxy.dllMD5=A0251547D09C624F5E0FDFED5F14C834,SHA256=A6E167A77AC44A73323B8FF65E1FA2BAEDC0E092255F81FE041B35D40970FF90,IMPHASH=B1BB7A0B17604581DFBD9AE821306153trueMicrosoft WindowsValid 734700x80000000000000007990456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.859{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\WpPortingLibrary.dll10.0.14393.0 (rs1_release.160715-1616)<d> DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWpPortingLibrary.dllMD5=9F86158107F4C4A954E1A1594A73E769,SHA256=8D797D0B92ACE4957EDC3380C06D54CC2912896248A2A68E86F83FA0B7A24136,IMPHASH=B4ACDC77E7BA866BD19676ABBA0D0B2FtrueMicrosoft WindowsValid 734700x80000000000000007990455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.859{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\InputLocaleManager.dll10.0.14393.4169 (rs1_release.210107-1130)"InputLocaleManager.DYNLINK"Microsoft® Windows® Operating SystemMicrosoft Corporation"InputLocaleManager.DYNLINK"MD5=02E48CCF819746495BE276F5704B49A4,SHA256=5A30A993C3071A896B1ACC6F92DBEE1DB775446DB44840D30A2316967B315D07,IMPHASH=29D352126C4302507B7974232FA02CFDtrueMicrosoft WindowsValid 734700x80000000000000007990454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.827{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30E,IMPHASH=8F811B713271A0FEFA798FB95D523A8BtrueMicrosoft WindowsValid 734700x80000000000000007990453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.999{3BF36828-E8AA-60DD-0402-00000000C801}2060C:\Windows\System32\userinit.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30E,IMPHASH=8F811B713271A0FEFA798FB95D523A8BtrueMicrosoft WindowsValid 734700x80000000000000007990452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.827{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\certca.dll10.0.14393.3053 (rs1_release_inmarket.190612-1836)Microsoft® Active Directory Certificate Services CAMicrosoft® Windows® Operating SystemMicrosoft CorporationCertCaMD5=8F23364460E12C9A157F88B9B4A86F2E,SHA256=51B5550668D6420C5DA988FEF83564DD9B4E911866EF4FC80748C8B219789F23,IMPHASH=2BEC012C7F0C624C5C5ADC500530215DtrueMicrosoft WindowsValid 734700x80000000000000007990451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.827{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\CertEnroll.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Active Directory Certificate Services Enrollment ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationCertEnrollMD5=20ADB479CDAFBDFB60D8D6E0AD7D6588,SHA256=C1C86EE623A9BCA85CE4D6AD7DA9F75C18E62DA2341219FCF45A73FD0CF5123B,IMPHASH=4DD388EAD48B428D06DBB92F58C86A13trueMicrosoft WindowsValid 734700x80000000000000007990450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.812{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\System32\svchost.exeC:\Windows\System32\BluetoothApis.dll10.0.14393.1198 (rs1_release_sec.170427-1353)Bluetooth Usermode Api hostMicrosoft® Windows® Operating SystemMicrosoft CorporationBluetoothApis.DLLMD5=780EF18321894E459A39844E6CFCB783,SHA256=E69C470BD51DE399D1CD1CC44C3B4B376D71729DD2F4F114C368E3AD28EA9915,IMPHASH=565BE656E1DABB7885CE440B41B76C57trueMicrosoft WindowsValid 734700x80000000000000007990449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.796{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\ShareHost.dll10.0.14393.4169 (rs1_release.210107-1130)ShareHostMicrosoft® Windows® Operating SystemMicrosoft CorporationShareHost.dllMD5=024DE32F629D79F83D8557C0B7EE44BB,SHA256=7CE4CC96E61F81CE603BF828C825F39B9F1C3E39F02438D79782A5EF178CFA95,IMPHASH=31D3C87FD7A4075FCE9FDA9529FCF344trueMicrosoft WindowsValid 734700x80000000000000007990448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.796{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\System32\svchost.exeC:\Windows\System32\ncryptprov.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft KSPMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptprov.dllMD5=9488F26020CD0614ECBEBF87F4E562CD,SHA256=A04E38C80C7265C1CFF0E5C50023A6F15016D496E21DB681B29F6F2BC153A0E1,IMPHASH=3342CCF3DD7CA863EBDA7724FC049E65trueMicrosoft WindowsValid 734700x80000000000000007990447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.781{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\pautoenr.dll10.0.14393.0 (rs1_release.160715-1616)Auto Enrollment DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationAuto Enrollment DLLMD5=9886F4C8026D37BEFAFF2B99EAC136B0,SHA256=E9E36BCF4B1ED5DB0E6B656480D1CF1842425CA406E3292F79F2B60AAB56BB68,IMPHASH=97E28291D490F9156B03EB1CCBFE8002trueMicrosoft WindowsValid 734700x80000000000000007990446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.781{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\npmproxy.dll10.0.14393.4169 (rs1_release.210107-1130)Network List Manager ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationnpfproxy.dllMD5=4D76C6FAF3D01B31A68C9ABF95F4B7D4,SHA256=9B771613C067880E99ED3D68E6C2A43C6B252E899D44682ADEB5A7F02E925920,IMPHASH=55727E718711848BBCDC7F433974B473trueMicrosoft WindowsValid 734700x80000000000000007990445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.781{3BF36828-E8AA-60DD-0302-00000000C801}4780C:\Windows\System32\taskhostw.exeC:\Windows\System32\dimsjob.dll10.0.14393.0 (rs1_release.160715-1616)DIMS Job DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdimsjob.dllMD5=F2F2FED1EAE5A089D959D1D6DBFD7DD4,SHA256=1C07371882F3DC3A19981BD1AC13359CB02675CC9462CE670D7001D5C25C026A,IMPHASH=8E61026621C1595A6AFB8BC7954CD315trueMicrosoft WindowsValid 734700x80000000000000007990444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.781{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\AppContracts.dll10.0.14393.4169 (rs1_release.210107-1130)Windows AppContracts API ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationAppContracts.dllMD5=0C7233FBE28B3282F0F10864AED43B11,SHA256=9ED9DD27915352576A4D29120A01FAB62044BA0FD6AC1B49D7A9692CB398F53C,IMPHASH=42FDA8D71EDB03006B7F684F5C1BA1E8trueMicrosoft WindowsValid 734700x80000000000000007990443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.781{3BF36828-DD0C-60DD-0C00-00000000C801}864C:\Windows\System32\svchost.exeC:\Windows\System32\SebBackgroundManagerPolicy.dll10.0.14393.4169 (rs1_release.210107-1130)<d> SEB Background Manager Policy DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSebBackgroundManagerPolicy.dllMD5=E8ED6611C4284A4451AB98AC6648774C,SHA256=B377C15D9DDDAB03CC80A72AB1014F2EB8A49F471EA2B8E27189879C3B324B7D,IMPHASH=68029B4946E670634BDE766ED452F438trueMicrosoft WindowsValid 734700x80000000000000007990442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-DD0C-60DD-0C00-00000000C801}864C:\Windows\System32\svchost.exeC:\Windows\System32\Windows.Networking.BackgroundTransfer.BackgroundManagerPolicy.dll10.0.14393.4169 (rs1_release.210107-1130)Background Transfer Background Manager Policy DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Networking.BackgroundTransfer.BackgroundManagerPolicy.dllMD5=73FAFCB869C20FB792B3C1E52B4AB7BF,SHA256=B88B134B4B0C842E6F10A302987899F84A7D4210A4F1FD7B599362C3EEC8883D,IMPHASH=388254ACC58DB403D467EF663E931FC3trueMicrosoft WindowsValid 734700x80000000000000007990441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\MTFServer.dll10.0.14393.4169 (rs1_release.210107-1130)"MTFServer.DYNLINK"Microsoft® Windows® Operating SystemMicrosoft Corporation"MTFServer.DYNLINK"MD5=F14B7B3C9EDC38B2013DD79CEBDDFACC,SHA256=29164B9BEEDEDD294E7F97ED7EA8A1CDF663F2E835D0A6E927BF21794A40B4AC,IMPHASH=841A40F94069E0A95D6D34A96CED109DtrueMicrosoft WindowsValid 734700x80000000000000007990440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-DD0C-60DD-0C00-00000000C801}864C:\Windows\System32\svchost.exeC:\Windows\System32\SmartCardBackgroundPolicy.dll10.0.14393.4169 (rs1_release.210107-1130)SmartCardBackgroundPolicyMicrosoft® Windows® Operating SystemMicrosoft CorporationSmartCardBackgroundPolicy.dllMD5=0DF7C4B51A33839D38AF834E939B8E3E,SHA256=9B3A23D798B3996E966AE60E71C88145A6703125A1A7FCD4D63AE1B197F0E0D9,IMPHASH=E88639BC1D107F8E2EA1400436C5D1B7trueMicrosoft WindowsValid 734700x80000000000000007990439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.999{3BF36828-E8AA-60DD-0402-00000000C801}2060C:\Windows\System32\userinit.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007990438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.999{3BF36828-E8AA-60DD-0402-00000000C801}2060C:\Windows\System32\userinit.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x80000000000000007990437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.999{3BF36828-E8AA-60DD-0402-00000000C801}2060C:\Windows\System32\userinit.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x80000000000000007990436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.999{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x80000000000000007990435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.999{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x80000000000000007990434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.999{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007990433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-DD0C-60DD-0C00-00000000C801}864C:\Windows\System32\svchost.exeC:\Windows\System32\CbtBackgroundManagerPolicy.dll10.0.14393.4169 (rs1_release.210107-1130)<d> CBT Background Manager Policy DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCbtBackgroundManagerPolicy.dllMD5=6E563D32C237B860AD13982EE04B842D,SHA256=F66FA704AD6A8299E1060A549C9F14A8C85DDC22873C63344A4673106BC291CC,IMPHASH=1BE1D87A4E1084AD4D11307CE5E4CAF3trueMicrosoft WindowsValid 734700x80000000000000007990432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.999{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007990431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.999{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007990430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.999{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007990429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.999{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007990428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.999{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 10341000x80000000000000007990427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.999{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.999{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.765{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\wininet.dll11.00.14393.4402 (rs1_release.210426-1725)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=27D3D531D0EA9B3EE7F54C4DE5A15946,SHA256=05254BA3332E887C9F97D42406A7C2CEE4DF405ECAF39391968FD472CC4F1F89,IMPHASH=B3ABC7D59C2B1ACAEECA63C53B0AAC4BtrueMicrosoft WindowsValid 10341000x80000000000000007990424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.984{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.984{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.984{3BF36828-E8A8-60DD-F501-00000000C801}25762064C:\Windows\system32\csrss.exe{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007990421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.984{3BF36828-E8AA-60DD-0402-00000000C801}20604356C:\Windows\system32\userinit.exe{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\userinit.exe+1cd8|C:\Windows\system32\userinit.exe+23e5|C:\Windows\system32\userinit.exe+346e|C:\Windows\system32\userinit.exe+3725|C:\Windows\system32\userinit.exe+4553|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007990420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:14.948{3BF36828-E8AA-60DD-0502-00000000C801}5048C:\Windows\explorer.exe10.0.14393.4169 (rs1_release.210107-1130)Windows ExplorerMicrosoft® Windows® Operating SystemMicrosoft CorporationEXPLORER.EXEC:\Windows\Explorer.EXEC:\Windows\system32\ATTACKRANGE\Administrator{3BF36828-E8A9-60DD-F846-180000000000}0x1846f82HighMD5=F7FDECA990692D53D7E4E396B0BD711E,SHA256=1F955612E7DB9BB037751A89DAE78DFAF03D7C1BCC62DF2EF019F6CFE6D1BBA7,IMPHASH=8D2880102609AA4B23679BD4FEBEBC95{3BF36828-E8AA-60DD-0402-00000000C801}2060C:\Windows\System32\userinit.exeC:\Windows\system32\userinit.exe 23542300x800000000000000015899324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:15.436{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4298C3C93C90B0FD1049A6B8C4CBC93,SHA256=0E5562419900B5E92AB5EDBEC9AB3B543532E781E12E99C135692189CAEB15CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007991116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.984{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007991115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.984{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007991114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.984{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007991113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.984{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007991112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.984{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007991111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.984{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007991110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.984{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007991109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.984{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007991108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.984{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007991107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.984{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007991106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.984{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007991105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.984{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007991104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.968{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007991103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.968{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007991102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.968{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007991101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.968{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007991100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.968{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007991099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.968{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000007991098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.968{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007991097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.968{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.968{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007991095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.968{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007991094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.968{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007991093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.968{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.968{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.968{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.968{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.968{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007991088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.968{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007991087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.829{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007991086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.655{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ActionMgr.dll10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Cortana Action ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationACTIONMGR.DLLMD5=C826B342FFB3DD7D64E7DDBBFC9116E8,SHA256=E18C21A7F0BB54B269A02CD1055E03B845853438D9A43F649851298F7EF58694,IMPHASH=FD99A218B36BA972C12186B6C564B2D1trueMicrosoft WindowsValid 734700x80000000000000007991085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.655{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll-----MD5=005C89BB002DB3236761F2B0B47D472C,SHA256=9EDF2BB3B62B66C97508C85FB0103C0EF3557142BCB02F9C40941C725FF24A22,IMPHASH=B8B784A131D0205AAEB622B872E38BD8trueMicrosoft WindowsValid 734700x80000000000000007991084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.952{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\directmanipulation.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Direct Manipulation ComponentMicrosoft® Windows® Operating SystemMicrosoft Corporationdirectmanipulation.dllMD5=EA7CE188E0D1E66C361C8B87304EACDE,SHA256=9ADCA2B7554173A0FD8833F65935C151B09A5D790F46E9EC4EE25E9622F1159A,IMPHASH=D9F27AFFC8B05CE56A2B9B9CD5B4C9B5trueMicrosoft WindowsValid 734700x80000000000000007991083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.952{3BF36828-DD0D-60DD-1200-00000000C801}396C:\Windows\System32\svchost.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 10341000x80000000000000007991082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.952{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+18aac|C:\Windows\SYSTEM32\psmserviceexthost.dll+e47e|C:\Windows\SYSTEM32\psmserviceexthost.dll+e517|C:\Windows\SYSTEM32\psmserviceexthost.dll+e22a|C:\Windows\SYSTEM32\psmserviceexthost.dll+18e78|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.952{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\rmclient.dll10.0.14393.4169 (rs1_release.210107-1130)Resource Manager ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationrmclient.dllMD5=D3ABCEC776B1B1D7457A2E8E05F79EE3,SHA256=C368321C5BB811D937E8ABDD2BC3EB959BB8B65F49C104B5AD746129E4E5D169,IMPHASH=FE4203B37BF9B6CEA63D659FD081E423trueMicrosoft WindowsValid 734700x80000000000000007991080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.952{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\WindowsCodecs.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B791899A46FD151559658F4F86C3C6F5,SHA256=E559B36A3CC2261C16916F2D49FA351DC4E21E5EC581AC43547ABA16F70CDA7E,IMPHASH=945C5ACF3D7F6243AD6374B1152227D8trueMicrosoft WindowsValid 10341000x80000000000000007991079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.952{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000007991078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.952{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000007991077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.952{3BF36828-E8AA-60DD-FD01-00000000C801}32804620C:\Windows\system32\sihost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007991076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.952{3BF36828-E8AA-60DD-FD01-00000000C801}32804620C:\Windows\system32\sihost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 734700x80000000000000007991075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.952{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\biwinrt.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Background Broker InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationbiwinrt.dllMD5=1774BAC67716351387E5F11635DEED8D,SHA256=74F9B4190CFFADCE3ED3F61D4FD6A4F7CCC6EE0F42E3452D018E8160ECB3BE1F,IMPHASH=518BBC26E9BA87459E80712401FEE077trueMicrosoft WindowsValid 734700x80000000000000007991074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.952{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\policymanager.dll10.0.14393.4169 (rs1_release.210107-1130)Policy Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPolicyManager.dllMD5=58677E3FBF7D29109E8EB578062F1C81,SHA256=F751521EBC10CC1F0BC6AAB2715B9169439A014F178A7D6880080567D880C103,IMPHASH=E1BC13C6E7766D0332C0420A512C2799trueMicrosoft WindowsValid 734700x80000000000000007991073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.952{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\OneCoreUAPCommonProxyStub.dll10.0.14393.3808 (rs1_release.200707-2105)OneCoreUAP Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreUAPCommonProxyStub.dllMD5=9F8EF1431E82015CD1918582A770DB35,SHA256=FC2073DCE9AC41DBF338FAFE85F2429D6D3812573D2192C7A906C1D46E0AB4FA,IMPHASH=D919FF32201FBB7C5B3EF498D589EAE4trueMicrosoft WindowsValid 734700x80000000000000007991072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.952{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\VEEventDispatcher.dll10.0.14393.4169 (rs1_release.210107-1130)Visual Element Event dispatcherMicrosoft® Windows® Operating SystemMicrosoft CorporationVEEventDispatcher.dllMD5=7A89C3B780AD83BD07097E1562C8C2A4,SHA256=A2E4969569F4A963A6F02827480634480817BC00A52C5BB96BD6FC6D9BE54B2A,IMPHASH=68182A73D7878DB2056CBA31DAA3CEFCtrueMicrosoft WindowsValid 734700x80000000000000007991071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.952{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\ntoskrnl.exe10.0.14393.4402 (rs1_release.210426-1725)NT Kernel & SystemMicrosoft® Windows® Operating SystemMicrosoft Corporationntkrnlmp.exeMD5=5F5F07C5B9FF9BA2AF5894C5F42C4E99,SHA256=A370B2F2D46AF560C24B3F7FE170D6EFCA8CF94B06F89185B3AFF61E77E591A6,IMPHASH=28C22BC918D86AD8BBCB5C7E356B4701trueMicrosoft WindowsValid 734700x80000000000000007991070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.952{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\cdp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft (R) CDP Client APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCDP.dllMD5=97BCD0CFB8C9A7133688C1683B8BB049,SHA256=A4DCBC842B5D97DBE298130BA97D329085B992F15B9FC4C2F78871826618CD80,IMPHASH=BA9A45255BAE8B363B6B657A12E44278trueMicrosoft WindowsValid 734700x80000000000000007991069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.952{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\capauthz.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Capability Authorization APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationcapauthz.dllMD5=23F19228D21BADC021EE9105326116F4,SHA256=A80DFA852F9DCD6D4CDB9A202E122B4765E77E18A0C8E436D9A080464257A7BB,IMPHASH=512E63FF45CABF98ADB36E36331EFB3DtrueMicrosoft WindowsValid 734700x80000000000000007991068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.952{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\Windows.Internal.Shell.Broker.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Shell BrokerMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Internal.Shell.Broker.dllMD5=6F20F13032F6BD2E2DA4DCF7FC3B7D10,SHA256=3A8786CCB21AD1AE7301943E891336084CDF42EC906B549766D5D85FF033237E,IMPHASH=9E3ABA0295C7548C4F5020B4E453434CtrueMicrosoft WindowsValid 734700x80000000000000007991067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.937{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\wincorlib.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows ® WinRT core libraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwincorlib.DLLMD5=F08F4542548A5CD4F521491164598021,SHA256=D60844E5A091DD42CB1BC03CA76B8BBAF55C5B1A9EC3F1403AB241DDE36CA630,IMPHASH=7118E177B350BBAD51DE9533CF52B852trueMicrosoft WindowsValid 734700x80000000000000007991066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.624{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\Windows.Cortana.PAL.Desktop.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.Cortana.PAL.DesktopMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Cortana.PAL.Desktop.dllMD5=7CA4C3F102D868CF2F935696104A5CB5,SHA256=381CCF05FB38DB28AAB8E93D4574FE852776620560FDF5DD2D460833681195BA,IMPHASH=13825F6BBCB963E78044B6D6E43BA643trueMicrosoft WindowsValid 734700x80000000000000007991065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.624{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\BingConfigurationClient.dll10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Bing Configuration Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationBingConfigurationClient.dllMD5=5157C221A424FF404FC4F006BC3BE79D,SHA256=26D56062FB4020E7BFD94A83F35CC02F86D370210746A4AC999807E3C4CD5AD8,IMPHASH=73F84D858A4C649D945628FD9227E215trueMicrosoft WindowsValid 734700x80000000000000007991064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.609{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll-----MD5=3FB73B06A20752649DF87465890A2B41,SHA256=04B08005595D4508F1CFD256090C5C3B80068314F7ED952EA2553F0693C80218,IMPHASH=797D69ED46778C57C35FA53803AABB8DtrueMicrosoft WindowsValid 734700x80000000000000007991063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.921{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\InputSwitch.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows Input SwitcherMicrosoft® Windows® Operating SystemMicrosoft CorporationInputSwitch.dllMD5=2B36BB851BC67134276AF104374E1AE7,SHA256=5BBE3DAB8CC51D7979C85F6794AC87EC01033B10381C9975BB82EFDD130C71F8,IMPHASH=9FA3243ACAFF711089EA1F97D1240A36trueMicrosoft WindowsValid 734700x80000000000000007991062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.921{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\wmiclnt.dll10.0.14393.0 (rs1_release.160715-1616)WMI Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiclnt.dllMD5=6B61852EDC8F0EB9E555CF5308A1CA67,SHA256=73CBABE06D58CF771AC647C0DE916BD668FEC96A40EDF7283D50C1C7DE07FE08,IMPHASH=9178CB7144790F36275451518A7203D6trueMicrosoft WindowsValid 734700x80000000000000007991061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.906{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\execmodelproxy.dll10.0.14393.0 (rs1_release.160715-1616)ExecModelProxyMicrosoft® Windows® Operating SystemMicrosoft CorporationExecModelProxy.dllMD5=A0251547D09C624F5E0FDFED5F14C834,SHA256=A6E167A77AC44A73323B8FF65E1FA2BAEDC0E092255F81FE041B35D40970FF90,IMPHASH=B1BB7A0B17604581DFBD9AE821306153trueMicrosoft WindowsValid 734700x80000000000000007991060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.906{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 10341000x80000000000000007991059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.906{3BF36828-E8AA-60DD-FC01-00000000C801}34883928C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000007991058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.906{3BF36828-E8AA-60DD-FC01-00000000C801}34883928C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000007991057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.906{3BF36828-E8AA-60DD-FC01-00000000C801}34883768C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61acc|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000007991056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.906{3BF36828-E8AA-60DD-FC01-00000000C801}34883768C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61acc|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007991055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.906{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.906{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 734700x80000000000000007991053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.906{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\CoreMessaging.dll10.0.14393.3930Microsoft CoreMessaging DllMicrosoft® Windows® Operating SystemMicrosoft CorporationCoreMessaging.dllMD5=3D9D2F367587B2E93F2868F52D4ACBDD,SHA256=B4B27A7D4B9B685B6015D090B6A3E0E578AFBDE8D6C06A8F2E606A439D5A4BA4,IMPHASH=92CA7117B99353AC45978E95EEB5A46DtrueMicrosoft WindowsValid 734700x80000000000000007991052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.906{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\ExecModelClient.dll10.0.14393.4169 (rs1_release.210107-1130)ExecModelClientMicrosoft® Windows® Operating SystemMicrosoft CorporationExecModelClient.dllMD5=178BCB2B937C94CA144C326FD678A322,SHA256=932D0710FD612EDBE2D0433ABE294AD17D23CB8D43DE7F4CD8E01C58D279C1CE,IMPHASH=B1099E1B098B6F4C7DC6D071206DFC70trueMicrosoft WindowsValid 10341000x80000000000000007991051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.906{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.906{3BF36828-E8AB-60DD-0602-00000000C801}3812716C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.906{3BF36828-E8AB-60DD-0602-00000000C801}3812716C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.906{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000007991047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.906{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 734700x80000000000000007991046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.890{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\fontgroupsoverride.dll10.0.14393.0 (rs1_release.160715-1616)fontgroupsoverride.dllMicrosoft® Windows® Operating SystemMicrosoft Corporationfontgroupsoverride.dllMD5=BDF21A72601B49D75472A068923B290E,SHA256=78B7FCC82A6BC51BCEBB6D4BD59F902B8DBC5999AA3E0CA3DE29684FDDC3BAAC,IMPHASH=7EFF8F4FC3F291FA9E9D9B6EE9E32B9BtrueMicrosoft WindowsValid 734700x80000000000000007991045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.890{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\twinapi.dll10.0.14393.4169 (rs1_release.210107-1130)twinapiMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.dllMD5=40E4471EAFBC1AB4D40288BF005AB895,SHA256=E93454095918346B3426D55704F02DF6FBB1B840BF969CE619E3F10BA0AC9A44,IMPHASH=BE2A18E7131BB697F5E7CE37E2AEC582trueMicrosoft WindowsValid 734700x80000000000000007991044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.890{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\Windows.Globalization.Fontgroups.dll10.0.14393.4169 (rs1_release.210107-1130)Fonts Mapping APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Globalization.Text.dllMD5=E3A7526D39E1F1B27215904BCA536A67,SHA256=CE8601D50F50C58AF4E096B8F0242AC7DD5A1F1749A73AB770BDA1CF36961958,IMPHASH=AE937584CA4D3F514F169AE5CEA83778trueMicrosoft WindowsValid 734700x80000000000000007991043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.890{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\ninput.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft Pen and Touch Input ComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationNINPUT.DLLMD5=BF084D22F7064E686F9BBAC541C680B5,SHA256=ED2E99746A98BAB14B5B565E5D3F092143AA2D8BD0CBD08FE047B64AEF5EF440,IMPHASH=ADED91AA394AD8A3D54B5A54F35771D4trueMicrosoft WindowsValid 10341000x80000000000000007991042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.890{3BF36828-E8AA-60DD-0002-00000000C801}21363752C:\Windows\system32\taskhostw.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.890{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\globinputhost.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows Globalization Extension API for InputMicrosoft® Windows® Operating SystemMicrosoft Corporationglobinputhost.dllMD5=B92070EB12AF4C292155EBB155A0B6C3,SHA256=F155CFD56DC7199F16377259C55C0E8A26662A81588264F01D0E1F1387721DDC,IMPHASH=AB0E9B104017117F7BE18F3C6AAC279AtrueMicrosoft WindowsValid 10341000x80000000000000007991040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.890{3BF36828-DD0D-60DD-1100-00000000C801}6401724C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.890{3BF36828-DD0D-60DD-1100-00000000C801}6401724C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.843{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007991037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.843{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 734700x80000000000000007991036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.827{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\DWrite.dll10.0.14393.4225 (rs1_release.210127-1811)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=BB0ECCB8A72B5926A58433666145D459,SHA256=9C082B0EF00A6E174062634F0421B1179D27BC9077A5C0B1FEB2AA74DBAC2E68,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x80000000000000007991035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.827{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\Windows.Web.dll10.0.14393.4169 (rs1_release.210107-1130)Web Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Web.dllMD5=399F7366C5D75F1B7E804DDB0A6069D0,SHA256=F365F479ED03EF60BE3E78DA076BF1FC6E10AC4A2511C54D59AA14A7FD52A201,IMPHASH=A4CE8C0D67248A4EE97935AB72FBAB58trueMicrosoft WindowsValid 10341000x80000000000000007991034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.827{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5266|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.827{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000007991032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.827{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000007991031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.827{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007991030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.827{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000007991029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.827{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000007991028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.827{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 23542300x80000000000000007991027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.827{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=84148D53E6ED0578A48B0E2B60DF7E97,SHA256=10359B8A83AB57ECF31E5C7B1CD9E60A04056218C82556E19D5EEE135C678334,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007991026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.812{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\Windows.Graphics.dll10.0.14393.4169 (rs1_release.210107-1130)WinRT Windows Graphics DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Graphics.dllMD5=61D276CCEE510F9B6FEFE4E849DC2211,SHA256=AB394CEA5CFB9FD528CC3CB43C5FC888900C05CB667B793FB17D132A08E21A8C,IMPHASH=BE64D3D4CFDDCA394A3E98E4572DB9DAtrueMicrosoft WindowsValid 734700x80000000000000007991025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.812{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 10341000x80000000000000007991024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.812{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000007991023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.796{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000007991022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.796{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000007991021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.796{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+bae7e|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.796{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+bae7e|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.796{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+bae7e|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.796{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12a3cc|C:\Windows\System32\TwinUI.dll+b60d4|C:\Windows\System32\TwinUI.dll+b1e1b|C:\Windows\System32\TwinUI.dll+d206a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.796{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.796{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.796{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\OneCoreUAPCommonProxyStub.dll10.0.14393.3808 (rs1_release.200707-2105)OneCoreUAP Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreUAPCommonProxyStub.dllMD5=9F8EF1431E82015CD1918582A770DB35,SHA256=FC2073DCE9AC41DBF338FAFE85F2429D6D3812573D2192C7A906C1D46E0AB4FA,IMPHASH=D919FF32201FBB7C5B3EF498D589EAE4trueMicrosoft WindowsValid 734700x80000000000000007991014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.796{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\dcomp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft DirectComposition LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdcomp.dllMD5=40873566DBFF13981CA1AE23AC281C5D,SHA256=E52C4619C837358454B969D31E2E14ACDEDABB384272D48C03E4F0AF9A2C2B6E,IMPHASH=9651C547656809410E78B358203C1A1DtrueMicrosoft WindowsValid 734700x80000000000000007991013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.796{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\DataExchange.dll10.0.14393.4169 (rs1_release.210107-1130)Data exchangeMicrosoft® Windows® Operating SystemMicrosoft CorporationDataExchange.dllMD5=23F499FA8F8E02A8090FB78E80617BDD,SHA256=08C2E505F3765D98379BB88DC8AD5555AB680A691054933FCA1A2CFCDFA42F51,IMPHASH=05056B92E29CCE6F97F9C6674AE080C0trueMicrosoft WindowsValid 10341000x80000000000000007991012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.796{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.796{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.796{3BF36828-E8AA-60DD-0002-00000000C801}21363752C:\Windows\system32\taskhostw.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.796{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\TextInputFramework.dll10.0.14393.4169 (rs1_release.210107-1130)"TextInputFramework.DYNLINK"Microsoft® Windows® Operating SystemMicrosoft Corporation"TextInputFramework.DYNLINK"MD5=A5D471D5AA5008C13D15681FC09706DF,SHA256=16033864F3B5FFFB0A5E198CEE57840A21415E4BDB16D7B9A430CED8A8FFE687,IMPHASH=4B3A790624F27F9554D88782F051B709trueMicrosoft WindowsValid 734700x80000000000000007991008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.796{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\Windows.UI.Core.TextInput.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.UI.Core.TextInput dllMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.Core.TextInput.dllMD5=DC3E80422665B03DD19D9F0D8293819C,SHA256=BC27D75C7DEDBB192330EB4674D1A26D730FEFB0BC95F1077B02854705B1FEFF,IMPHASH=E0DB99A3F74383C40B61EF63D1345A1FtrueMicrosoft WindowsValid 734700x80000000000000007991007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.796{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\Windows.Globalization.dll10.0.14393.4169 (rs1_release.210107-1130)Windows GlobalizationMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Globalization.dllMD5=D48D3F64A7718C672CDEC0B7A8CB7695,SHA256=C459390E3E67665FC2413469F8C29544DB9421D14B6C40F68B1674C924898B71,IMPHASH=0280A5811869EFED56B453A140477D51trueMicrosoft WindowsValid 734700x80000000000000007991006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.796{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x80000000000000007991005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.609{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\cscui.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Client Side Caching UIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscui.dllMD5=1AFE7E2522633DF86B3160B378F1ABB9,SHA256=A1BFE3136924F3E5276F5C555F51770D9C50A321572DA4F677F2C0D8D5132A76,IMPHASH=7C4C5D26A164B555C68D5F02A417A150trueMicrosoft WindowsValid 734700x80000000000000007991004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.796{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x80000000000000007991003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.796{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\d2d1.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft D2D LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationd2d1MD5=E15A420D82314AF63973D7D0AB3BA2DD,SHA256=C264B2FA1F3E67E558E2671807C06270926EF456F4FF83F1F9859B18184F187E,IMPHASH=5F8C6AF7D0781F35A516AEB072DAD045trueMicrosoft WindowsValid 734700x80000000000000007991002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.796{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x80000000000000007991001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.796{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\Windows.UI.Immersive.dll10.0.14393.4283 (rs1_release.210303-1802)WINDOWS.UI.IMMERSIVEMicrosoft® Windows® Operating SystemMicrosoft CorporationWINDOWS.UI.IMMERSIVE.dllMD5=4331AC493E264AF1378E0082194D07A5,SHA256=81B8E123110B9C7A34957B9176791AD86EA874315D4555FDC85CF20975E08D99,IMPHASH=C0750252600F63F4BA1D73794E8FE8C0trueMicrosoft WindowsValid 734700x80000000000000007991000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.796{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x80000000000000007990999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.796{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 734700x80000000000000007990998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.796{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8,IMPHASH=BC8DDE4D2412D48001350313FD2B7840trueMicrosoft WindowsValid 734700x80000000000000007990997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.781{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\d3d10warp.dll10.0.14393.2608 (rs1_release.181024-1742)Direct3D 10 RasterizerMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10Warp.dllMD5=B69F0419A16A616FE2D779EC98CD7FB9,SHA256=2D10B43F2137433E48A009227487C691E312D186691485D33B4FDF90D8423C9D,IMPHASH=E32C7474360C94A9FE5E17141A4AB35FtrueMicrosoft WindowsValid 734700x80000000000000007990996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.593{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x80000000000000007990995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.781{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 10341000x80000000000000007990994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.781{3BF36828-E8AA-60DD-FC01-00000000C801}34883768C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007990993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.781{3BF36828-E8AA-60DD-FC01-00000000C801}34883768C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 734700x80000000000000007990992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.781{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007990991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.765{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007990990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.765{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\msvcp110_win.dll10.0.14393.2007 (rs1_release.171231-1800)Microsoft® STL110 C++ Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp110_win.dllMD5=BFB390484F611C21582AD11E4C6ADEF2,SHA256=30B5AD268C022FCA2AACAE2CB6E4DC36F6A01C16A006046BB4417CEA96DA4F5A,IMPHASH=80A56C2FEE02149B4E326F9A62FF4B12trueMicrosoft WindowsValid 734700x80000000000000007990989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.765{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x80000000000000007990988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.765{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\VEEventDispatcher.dll10.0.14393.4169 (rs1_release.210107-1130)Visual Element Event dispatcherMicrosoft® Windows® Operating SystemMicrosoft CorporationVEEventDispatcher.dllMD5=7A89C3B780AD83BD07097E1562C8C2A4,SHA256=A2E4969569F4A963A6F02827480634480817BC00A52C5BB96BD6FC6D9BE54B2A,IMPHASH=68182A73D7878DB2056CBA31DAA3CEFCtrueMicrosoft WindowsValid 734700x80000000000000007990987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.765{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x80000000000000007990986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.765{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\d3d11.dll10.0.14393.4169 (rs1_release.210107-1130)Direct3D 11 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D11.dllMD5=EDCE49E7FDE3BD70DF70F05B8C47ACD4,SHA256=864EC8827EB03CDF7F2FC5E318283A7835E600CE548590C59E1DCF8BF8112089,IMPHASH=460DAE5CA92CB705C37D78BE630D6120trueMicrosoft WindowsValid 734700x80000000000000007990985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.765{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\threadpoolwinrt.dll10.0.14393.4169 (rs1_release.210107-1130)Windows WinRT ThreadpoolMicrosoft® Windows® Operating SystemMicrosoft Corporationthreadpoolwinrt.dllMD5=4D271D6FA08E19B78A99F948FB012F44,SHA256=92D9A5BC0F95FDE6BA83D17925122815BDF3803D949112852C3D97CFBA16D219,IMPHASH=0E03F54121A53AD6BC839C0721A3CECCtrueMicrosoft WindowsValid 10341000x80000000000000007990984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.765{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.765{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.765{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570,IMPHASH=2E790E44628AED89C2CC17E1E4A5CE1CtrueMicrosoft WindowsValid 734700x80000000000000007990981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.749{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\ResourcePolicyClient.dll10.0.14393.3808 (rs1_release.200707-2105)Resource Policy ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationResourcePolicyClient.dllMD5=8FD5FEFE4E020BBC2D95F07BCDC84F71,SHA256=E5E351822CCDEBF81C47C4CA1D5C158E2880C1BD29CA024D163FD9316F3046AE,IMPHASH=E494F732179E765F2CE18BC21CDB1948trueMicrosoft WindowsValid 734700x80000000000000007990980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.593{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\EhStorShell.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Enhanced Storage Shell Extension DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationEhStorShell.dllMD5=4327110011C5B4D72EA451FA23D78CED,SHA256=A3FC4F52D93C74DF05A422F279781747674FEACFCD0ED9DE05FFFC8AEA49E23B,IMPHASH=111C0B6B81920F4C028C3EB61B1873D7trueMicrosoft WindowsValid 734700x80000000000000007990979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.562{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\drprov.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft Remote Desktop Session Host Server Network ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationDRPROV.DLLMD5=F8938A1C822E99524F4D48BF649D369B,SHA256=5CDAFF537EA8ACDCAC20E5638D3A5101D8356D1C64AF89E74895ED1DBE80A2C5,IMPHASH=5D8958906B8085054F7711F3A2BF41C6trueMicrosoft WindowsValid 734700x80000000000000007990978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.734{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\StateRepository.Core.dll10.0.14393.4169 (rs1_release.210107-1130)StateRepository CoreMicrosoft® Windows® Operating SystemMicrosoft CorporationStateRepository.Core.dllMD5=94299201E0B602E4692F61C5A46E32D9,SHA256=D343410FB20D88B74BF661CACADBBD913034D02410A826A84D60B2B66A95A862,IMPHASH=53CA7FAF1CEDFB0EC8CCD763B974D4A1trueMicrosoft WindowsValid 734700x80000000000000007990977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.562{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\ntlanman.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Microsoft® Lan ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationntlanman.dllMD5=D82162DD970C408025FB1D768E4EBAA2,SHA256=BB3EF060353AB42EA998B64DCF560C75DA93F13CFCB7C2DC7BDC981B241685DA,IMPHASH=18AB3DEF84B0CFFB8B6E912879950011trueMicrosoft WindowsValid 734700x80000000000000007990976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.734{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\Windows.StateRepository.dll10.0.14393.4169 (rs1_release.210107-1130)Windows StateRepository API ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.StateRepository.dllMD5=8F4457905D80A520C684CA48F807C268,SHA256=623299C57C3148EB7B8EE0FE22F2E8A4C7A41712A87D43074E56643BEB84C06A,IMPHASH=A28EA9ED587BD4511849B7BB44021022trueMicrosoft WindowsValid 10341000x80000000000000007990975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.734{3BF36828-DD0D-60DD-1100-00000000C801}6401724C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.734{3BF36828-DD0D-60DD-1100-00000000C801}6401724C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.734{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\dxgi.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3C32D763740C83DB2C44DEA4B6F18C54,SHA256=ED26DBB9C3656767CA25887CDC3B45CF978AFC75E064FF5457A36C7A69E55223,IMPHASH=83736A76214A92F5C1B53248D0C22863trueMicrosoft WindowsValid 734700x80000000000000007990972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.734{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\logoncli.dll10.0.14393.3808 (rs1_release.200707-2105)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=B5C16F0A457DB3C7695AAC9EE7E3EE1E,SHA256=88764349C57E619C6D1253BB2F4AFB27DBD141E9EB9C12D445C20F7384A4F437,IMPHASH=FD7877EA3FC7D2EDCA1ADC932A5034BDtrueMicrosoft WindowsValid 10341000x80000000000000007990971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.734{3BF36828-DD0D-60DD-1100-00000000C801}6401724C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.734{3BF36828-DD0D-60DD-1100-00000000C801}6401724C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.546{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\networkexplorer.dll10.0.14393.0 (rs1_release.160715-1616)Network ExplorerMicrosoft® Windows® Operating SystemMicrosoft CorporationNetworkExplorer.DLLMD5=889484BE2979D3C693D194BF4E5F2C82,SHA256=BC046600D8B8DA1652AD584DFAC4D799D4E772BFAF833C50B8F2F91D7D65D6B6,IMPHASH=82DF5355ECE040AB2EB1CF3A3223A564trueMicrosoft WindowsValid 10341000x80000000000000007990968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.734{3BF36828-DD0D-60DD-1100-00000000C801}6401724C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.718{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\directmanipulation.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Direct Manipulation ComponentMicrosoft® Windows® Operating SystemMicrosoft Corporationdirectmanipulation.dllMD5=EA7CE188E0D1E66C361C8B87304EACDE,SHA256=9ADCA2B7554173A0FD8833F65935C151B09A5D790F46E9EC4EE25E9622F1159A,IMPHASH=D9F27AFFC8B05CE56A2B9B9CD5B4C9B5trueMicrosoft WindowsValid 734700x80000000000000007990966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.718{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\WindowsCodecs.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B791899A46FD151559658F4F86C3C6F5,SHA256=E559B36A3CC2261C16916F2D49FA351DC4E21E5EC581AC43547ABA16F70CDA7E,IMPHASH=945C5ACF3D7F6243AD6374B1152227D8trueMicrosoft WindowsValid 10341000x80000000000000007990965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.718{3BF36828-DD0B-60DD-0B00-00000000C801}6522840C:\Windows\system32\lsass.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.718{3BF36828-DD0B-60DD-0B00-00000000C801}6522840C:\Windows\system32\lsass.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.718{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+18aac|C:\Windows\SYSTEM32\psmserviceexthost.dll+e47e|C:\Windows\SYSTEM32\psmserviceexthost.dll+e517|C:\Windows\SYSTEM32\psmserviceexthost.dll+e22a|C:\Windows\SYSTEM32\psmserviceexthost.dll+18e78|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.718{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\rmclient.dll10.0.14393.4169 (rs1_release.210107-1130)Resource Manager ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationrmclient.dllMD5=D3ABCEC776B1B1D7457A2E8E05F79EE3,SHA256=C368321C5BB811D937E8ABDD2BC3EB959BB8B65F49C104B5AD746129E4E5D169,IMPHASH=FE4203B37BF9B6CEA63D659FD081E423trueMicrosoft WindowsValid 734700x80000000000000007990961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.718{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\urlmon.dll11.00.14393.4402 (rs1_release.210426-1725)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=3562767F9C1D8359A735D4F64A9733F5,SHA256=7E60D82C417779D316000AD376BE9BA2CD14728616F35289E34E47CC6839620B,IMPHASH=198DE5B70ABFFE7B73AD088D655B26D1trueMicrosoft WindowsValid 10341000x80000000000000007990960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.718{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.718{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000007990958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.718{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000007990957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.718{3BF36828-E8AB-60DD-0602-00000000C801}38121068C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x80000000000000007990956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.718{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+83c5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b9c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.718{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b3b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.718{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8749|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ae6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.718{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000007990952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.718{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000007990951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.718{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007990950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.718{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000007990949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.718{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000007990948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.718{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007990947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.718{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000007990946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.718{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000007990945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.718{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007990944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.718{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000007990943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.718{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 734700x80000000000000007990942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.484{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007990941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.702{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x80000000000000007990940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.702{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x80000000000000007990939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.702{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\MMDevAPI.dll10.0.14393.4169 (rs1_release.210107-1130)MMDevice APIMicrosoft® Windows® Operating SystemMicrosoft CorporationMMDevAPI.DllMD5=CF179D8A655703FDD273891432EBF588,SHA256=722863E48713AEDC9E7EA95C181CAAA389B147BCE51A7E815F0D4189AF92B6E8,IMPHASH=A9DFEC2D392C78A08CC45D2B95165EEAtrueMicrosoft WindowsValid 734700x80000000000000007990938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.702{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007990937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.702{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007990936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.484{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\Windows.Storage.ApplicationData.dll10.0.14393.4283 (rs1_release.210303-1802)Windows Application Data API ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.ApplicationData.dllMD5=70CCBC49226FCAF8320B483196EE171D,SHA256=9B34EA835C9D6D312478EC5FB0C50F444F9D0A32013A4C622EC73561701D3E53,IMPHASH=28E467C0B26A13BC6CD010ECA4849A8EtrueMicrosoft WindowsValid 734700x80000000000000007990935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.655{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\Windows.Storage.ApplicationData.dll10.0.14393.4283 (rs1_release.210303-1802)Windows Application Data API ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.ApplicationData.dllMD5=70CCBC49226FCAF8320B483196EE171D,SHA256=9B34EA835C9D6D312478EC5FB0C50F444F9D0A32013A4C622EC73561701D3E53,IMPHASH=28E467C0B26A13BC6CD010ECA4849A8EtrueMicrosoft WindowsValid 734700x80000000000000007990934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.484{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007990933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.484{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\msvcp110_win.dll10.0.14393.2007 (rs1_release.171231-1800)Microsoft® STL110 C++ Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp110_win.dllMD5=BFB390484F611C21582AD11E4C6ADEF2,SHA256=30B5AD268C022FCA2AACAE2CB6E4DC36F6A01C16A006046BB4417CEA96DA4F5A,IMPHASH=80A56C2FEE02149B4E326F9A62FF4B12trueMicrosoft WindowsValid 734700x80000000000000007990932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.484{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\fontgroupsoverride.dll10.0.14393.0 (rs1_release.160715-1616)fontgroupsoverride.dllMicrosoft® Windows® Operating SystemMicrosoft Corporationfontgroupsoverride.dllMD5=BDF21A72601B49D75472A068923B290E,SHA256=78B7FCC82A6BC51BCEBB6D4BD59F902B8DBC5999AA3E0CA3DE29684FDDC3BAAC,IMPHASH=7EFF8F4FC3F291FA9E9D9B6EE9E32B9BtrueMicrosoft WindowsValid 734700x80000000000000007990931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.484{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\Windows.Globalization.Fontgroups.dll10.0.14393.4169 (rs1_release.210107-1130)Fonts Mapping APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Globalization.Text.dllMD5=E3A7526D39E1F1B27215904BCA536A67,SHA256=CE8601D50F50C58AF4E096B8F0242AC7DD5A1F1749A73AB770BDA1CF36961958,IMPHASH=AE937584CA4D3F514F169AE5CEA83778trueMicrosoft WindowsValid 734700x80000000000000007990930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.468{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Search and Cortana applicationMicrosoft® Windows® Operating SystemMicrosoft CorporationSearchUI.exeMD5=6D8F731EBFEC014E7C57CCDDD00E9A05,SHA256=B414747774960F9D1D8ECB5DA82F6186C4C279EFEF4A5F74148BC90067EBD4D5,IMPHASH=DEA2A4BF213A8F8331A823514DA47B4CtrueMicrosoft WindowsValid 734700x80000000000000007990929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.655{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\MrmCoreR.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows MRMMicrosoft® Windows® Operating SystemMicrosoft CorporationMrmCore.dllMD5=D730B5700BEB4A7E6E4244684356739C,SHA256=26083BEB490E48F5711D69A0E597B7A4CC6FB4B31EDCD535A0FF0DFBE4E6F8DD,IMPHASH=462A9FA6F44F25C68798F197AC8EC9D9trueMicrosoft WindowsValid 734700x80000000000000007990928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.655{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x80000000000000007990927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.655{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\CoreUIComponents.dll-----MD5=938961BA199F9626C72673E8D67A0D56,SHA256=92414B7F78A45D4DE494F3283B2A33A1F422E32F73C1733AA9071EE0B89ADC5E,IMPHASH=E1E6E93CD96B5C1875509E930B2B8C21trueMicrosoft WindowsValid 10341000x80000000000000007990926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.655{3BF36828-DD0D-60DD-0F00-00000000C801}3443548C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.655{3BF36828-DD0D-60DD-0F00-00000000C801}3441364C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.655{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x80000000000000007990923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.655{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\Windows.UI.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Runtime UI Foundation DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.dllMD5=FEC31833E8D13591BAECE59B8E39F53C,SHA256=424BAEA0DC8EF34305A881F9B36F22E8CFECA403A0D03B61782D69535387A401,IMPHASH=B073DE28C43175420FE754415439CCEAtrueMicrosoft WindowsValid 734700x80000000000000007990922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.655{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 734700x80000000000000007990921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.655{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\Clipc.dll10.0.14393.0 (rs1_release.160715-1616)Client Licensing Platform ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationClipC.dllMD5=C1ADE6C578AFD608EBC63BEB0F85ABD7,SHA256=7195914FD6FF035601607636E8EEFC58074852FD9983DB4A7E9DFEAEFA3D8382,IMPHASH=F8BABF073EFC135052FBFD9D3305CCC8trueMicrosoft WindowsValid 10341000x80000000000000007990920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.624{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.624{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.624{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007990917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.624{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 734700x80000000000000007990916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.624{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\cabinet.dll5.00 (rs1_release.160715-1616)Microsoft® Cabinet File APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcabinet.dllMD5=08A4A2712DB2AE10E483FB74E46B0E73,SHA256=EEB32E3E4256CC9935227ACD5BA576B75F1F6FE3C818D2127513CB22F823FECB,IMPHASH=536E202FBC448C2C3B40D60D87620951trueMicrosoft WindowsValid 734700x80000000000000007990915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.624{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007990914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.609{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x80000000000000007990913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.609{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x80000000000000007990912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.468{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\Windows.Graphics.dll10.0.14393.4169 (rs1_release.210107-1130)WinRT Windows Graphics DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Graphics.dllMD5=61D276CCEE510F9B6FEFE4E849DC2211,SHA256=AB394CEA5CFB9FD528CC3CB43C5FC888900C05CB667B793FB17D132A08E21A8C,IMPHASH=BE64D3D4CFDDCA394A3E98E4572DB9DAtrueMicrosoft WindowsValid 734700x80000000000000007990911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.468{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\threadpoolwinrt.dll10.0.14393.4169 (rs1_release.210107-1130)Windows WinRT ThreadpoolMicrosoft® Windows® Operating SystemMicrosoft Corporationthreadpoolwinrt.dllMD5=4D271D6FA08E19B78A99F948FB012F44,SHA256=92D9A5BC0F95FDE6BA83D17925122815BDF3803D949112852C3D97CFBA16D219,IMPHASH=0E03F54121A53AD6BC839C0721A3CECCtrueMicrosoft WindowsValid 734700x80000000000000007990910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.437{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\ntoskrnl.exe10.0.14393.4402 (rs1_release.210426-1725)NT Kernel & SystemMicrosoft® Windows® Operating SystemMicrosoft Corporationntkrnlmp.exeMD5=5F5F07C5B9FF9BA2AF5894C5F42C4E99,SHA256=A370B2F2D46AF560C24B3F7FE170D6EFCA8CF94B06F89185B3AFF61E77E591A6,IMPHASH=28C22BC918D86AD8BBCB5C7E356B4701trueMicrosoft WindowsValid 734700x80000000000000007990909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.546{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6,IMPHASH=46ADE2B067E724C7163A0B1902FEF225trueMicrosoft WindowsValid 734700x80000000000000007990908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.437{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=4CE9B67A187310E37E535FC4165E0933,SHA256=469B33A5DDAA93D28F66AE6D6956268F6F2F09F146734D00A931FBDD1D87DE42,IMPHASH=F3640F50846C35CCE7151F1E835AE727trueMicrosoft WindowsValid 734700x80000000000000007990907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.359{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FE,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x80000000000000007990906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.359{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x80000000000000007990905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.359{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 10341000x80000000000000007990904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.515{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.515{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.515{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.515{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.515{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.515{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.515{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3dff|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000007990897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.515{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3dff|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 734700x80000000000000007990896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.499{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\CoreMessaging.dll10.0.14393.3930Microsoft CoreMessaging DllMicrosoft® Windows® Operating SystemMicrosoft CorporationCoreMessaging.dllMD5=3D9D2F367587B2E93F2868F52D4ACBDD,SHA256=B4B27A7D4B9B685B6015D090B6A3E0E578AFBDE8D6C06A8F2E606A439D5A4BA4,IMPHASH=92CA7117B99353AC45978E95EEB5A46DtrueMicrosoft WindowsValid 734700x80000000000000007990895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.499{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007990894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.499{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=5541A4A7FB64063F8AFB192ABD4DAE70,SHA256=AABF2E6C392F29B77F076BF705976B68B3100138BC63060335BD154B8417754D,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x80000000000000007990893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.499{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\Windows.UI.Xaml.dll10.0.14393.4402 (rs1_release.210426-1725)Windows.UI.Xaml dllMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.Xaml.dllMD5=D3AABF7BF9CFBD51194C622C0A6A7D78,SHA256=86F89179208C22EE22AD51820FCE323D0F1EF160F7ABB6EE8AB6F858AB4CDDD9,IMPHASH=B872FEAB4926DE1D74C3DF5AC4E62C2CtrueMicrosoft WindowsValid 734700x80000000000000007990892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.499{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\WinTypes.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=AAA321C636929D23C58B5A78EDA04B61,SHA256=E33D62CC132B8D790B3604DBE227CD2A270E30C1B71881BB4E3B00732CE56E5C,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 734700x80000000000000007990891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.499{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007990890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.499{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007990889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.499{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x80000000000000007990888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.484{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007990887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.484{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007990886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.484{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\BCP47Langs.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)BCP47 Language ClassesMicrosoft® Windows® Operating SystemMicrosoft CorporationBCP47Lang.dllMD5=F688C2B9DD2EB56C3B0312B6380338AA,SHA256=B22DB210486D3B5F4EEB17900C5E7AA0EEFEDBB068A0C4858EFE9F8018C34628,IMPHASH=31EA1856BC7597303D8126028BBFDFB8trueMicrosoft WindowsValid 734700x80000000000000007990885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.484{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x80000000000000007990884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.484{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x80000000000000007990883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.484{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007990882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.484{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007990881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.484{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007990880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.484{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007990879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.484{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x80000000000000007990878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.484{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007990877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.484{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007990876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.484{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007990875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.484{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007990874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.484{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007990873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.484{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\wincorlib.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows ® WinRT core libraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwincorlib.DLLMD5=F08F4542548A5CD4F521491164598021,SHA256=D60844E5A091DD42CB1BC03CA76B8BBAF55C5B1A9EC3F1403AB241DDE36CA630,IMPHASH=7118E177B350BBAD51DE9533CF52B852trueMicrosoft WindowsValid 734700x80000000000000007990872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.484{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007990871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.484{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007990870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.484{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117,IMPHASH=BF1AF19CCBABA6D54178C43BE36CD985trueMicrosoft WindowsValid 10341000x80000000000000007990869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.484{3BF36828-E8A8-60DD-F501-00000000C801}2576416C:\Windows\system32\csrss.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000007990868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.484{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007990867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.484{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007990866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.468{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+f997|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 734700x80000000000000007990865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.468{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007990864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.468{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+3844|C:\Windows\SYSTEM32\psmserviceexthost.dll+1470c|C:\Windows\SYSTEM32\psmserviceexthost.dll+f933|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000007990863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.468{3BF36828-E8AA-60DD-FD01-00000000C801}3280920C:\Windows\system32\sihost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+47ca8|C:\Windows\System32\modernexecserver.dll+47c41|C:\Windows\System32\modernexecserver.dll+19c8a|C:\Windows\System32\modernexecserver.dll+1f6f8|C:\Windows\SYSTEM32\twinapi.appcore.dll+32a67|C:\Windows\SYSTEM32\twinapi.appcore.dll+32870|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.468{3BF36828-DD0C-60DD-0C00-00000000C801}864C:\Windows\System32\svchost.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117,IMPHASH=BF1AF19CCBABA6D54178C43BE36CD985trueMicrosoft WindowsValid 10341000x80000000000000007990861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.468{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007990860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.468{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+4401|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.468{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5266|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.468{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000007990857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.468{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 734700x80000000000000007990856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.468{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\twinapi.dll10.0.14393.4169 (rs1_release.210107-1130)twinapiMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.dllMD5=40E4471EAFBC1AB4D40288BF005AB895,SHA256=E93454095918346B3426D55704F02DF6FBB1B840BF969CE619E3F10BA0AC9A44,IMPHASH=BE2A18E7131BB697F5E7CE37E2AEC582trueMicrosoft WindowsValid 10341000x80000000000000007990855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.468{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.468{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000007990853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.468{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000007990852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.468{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.468{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.468{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.452{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.452{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.452{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.452{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.452{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\DWrite.dll10.0.14393.4225 (rs1_release.210127-1811)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=BB0ECCB8A72B5926A58433666145D459,SHA256=9C082B0EF00A6E174062634F0421B1179D27BC9077A5C0B1FEB2AA74DBAC2E68,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 10341000x80000000000000007990844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.452{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+baba5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a85|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007990843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.452{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+baba5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a85|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007990842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.452{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.452{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.452{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\sppc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationsppc.dllMD5=7CF84329545035CC0833119C7268A620,SHA256=49E3FA8B9F9ACB1A2CEDE37970361316C93286CEE7F70DE5985E7135498A4210,IMPHASH=BC4A2B9355432144727A5322381AB386trueMicrosoft WindowsValid 734700x80000000000000007990839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.452{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\slc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationslc.dllMD5=060E11DCB875D981E948073986E295DC,SHA256=30858EA58F24537CC3369091F92AD70C59877BDB1FDF8DEC7762A7AB72DDE885,IMPHASH=70AAA0F56F084D1AE09EB5CD51B268ECtrueMicrosoft WindowsValid 734700x80000000000000007990838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.359{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\Windows.Internal.Shell.Broker.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Shell BrokerMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Internal.Shell.Broker.dllMD5=6F20F13032F6BD2E2DA4DCF7FC3B7D10,SHA256=3A8786CCB21AD1AE7301943E891336084CDF42EC906B549766D5D85FF033237E,IMPHASH=9E3ABA0295C7548C4F5020B4E453434CtrueMicrosoft WindowsValid 734700x80000000000000007990837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.327{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\NotificationObjFactory.dll10.0.14393.4169 (rs1_release.210107-1130)Notifications Object FactoryMicrosoft® Windows® Operating SystemMicrosoft CorporationNotificationObjFactory.dllMD5=8CF2F5F4931740AA755ED420B4B34F06,SHA256=A883F16802A8F83B788F88A370E9BBB2F35E1BF293E3D7A69BB31A6564CBB44C,IMPHASH=7BB215E22200D988FC064DB3FC5F5641trueMicrosoft WindowsValid 734700x80000000000000007990836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.327{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\VEEventDispatcher.dll10.0.14393.4169 (rs1_release.210107-1130)Visual Element Event dispatcherMicrosoft® Windows® Operating SystemMicrosoft CorporationVEEventDispatcher.dllMD5=7A89C3B780AD83BD07097E1562C8C2A4,SHA256=A2E4969569F4A963A6F02827480634480817BC00A52C5BB96BD6FC6D9BE54B2A,IMPHASH=68182A73D7878DB2056CBA31DAA3CEFCtrueMicrosoft WindowsValid 734700x80000000000000007990835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.281{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\Windows.UI.Core.TextInput.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.UI.Core.TextInput dllMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.Core.TextInput.dllMD5=DC3E80422665B03DD19D9F0D8293819C,SHA256=BC27D75C7DEDBB192330EB4674D1A26D730FEFB0BC95F1077B02854705B1FEFF,IMPHASH=E0DB99A3F74383C40B61EF63D1345A1FtrueMicrosoft WindowsValid 734700x80000000000000007990834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.265{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007990833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.265{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\QuickActionsDataModel.dll10.0.14393.4169 (rs1_release.210107-1130)QuickActionsDataModelMicrosoft® Windows® Operating SystemMicrosoft CorporationQuickActionsDataModel.dllMD5=3C19C98FF47B8D19A0E9D041C03BEF2F,SHA256=F0CA161A9897EA48A8812651362C640B7CBFA28278F6AC7C1D0D31551B23EF71,IMPHASH=2B5C2FC1797BC831A0CF767AEA1C1602trueMicrosoft WindowsValid 734700x80000000000000007990832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.359{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x80000000000000007990831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.359{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x80000000000000007990830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.359{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x80000000000000007990829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.249{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x80000000000000007990828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.249{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\ShellExperiences\Windows.UI.ActionCenter.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)ActionCenter ExperienceMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.ActionCenter.dllMD5=4159D56E54BA63FC6702CE493C2C821A,SHA256=F7B8E2E968E7D6FFC5C1A51775556EF01DBF2A6AC6040D62B468E94AC9188D9D,IMPHASH=AC5F37A9678AFE97B9202362A8259B7BtrueMicrosoft WindowsValid 10341000x80000000000000007990827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.343{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.343{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.343{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.343{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000007990823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2021-07-01 16:09:16.343{3BF36828-E8AC-60DD-0702-00000000C801}1080\TDLN-1080-41C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe 17141700x80000000000000007990822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-CreatePipe2021-07-01 16:09:16.343{3BF36828-DD1D-60DD-2B00-00000000C801}1280\TDLN-1080-41C:\Windows\system32\svchost.exe 10341000x80000000000000007990821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.343{3BF36828-DD1D-60DD-2B00-00000000C801}12805096C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000007990820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.343{3BF36828-DD1D-60DD-2B00-00000000C801}12805096C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x80000000000000007990819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.327{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.327{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.327{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\urlmon.dll11.00.14393.4402 (rs1_release.210426-1725)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=3562767F9C1D8359A735D4F64A9733F5,SHA256=7E60D82C417779D316000AD376BE9BA2CD14728616F35289E34E47CC6839620B,IMPHASH=198DE5B70ABFFE7B73AD088D655B26D1trueMicrosoft WindowsValid 10341000x80000000000000007990816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.327{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007990815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.327{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.327{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.327{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.327{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.327{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x80000000000000007990810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.327{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\SharedStartModel.dll10.0.14393.4169 (rs1_release.210107-1130)Shared Start Model InProc ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationSharedStartModel.dllMD5=1ED630477E6FEFE3C7722FDBA69D905F,SHA256=96846D692A680859F229E9E8BA01A04DB81808871F61E1D1674919DBCF333287,IMPHASH=D57A6858D1CBDF14F3CE8801F944C825trueMicrosoft WindowsValid 734700x80000000000000007990809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.327{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\Windows.Globalization.dll10.0.14393.4169 (rs1_release.210107-1130)Windows GlobalizationMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Globalization.dllMD5=D48D3F64A7718C672CDEC0B7A8CB7695,SHA256=C459390E3E67665FC2413469F8C29544DB9421D14B6C40F68B1674C924898B71,IMPHASH=0280A5811869EFED56B453A140477D51trueMicrosoft WindowsValid 10341000x80000000000000007990808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.312{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.312{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.312{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.312{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.312{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 10341000x80000000000000007990803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.312{3BF36828-E8AA-60DD-FD01-00000000C801}32804620C:\Windows\system32\sihost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007990802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.312{3BF36828-E8AA-60DD-FD01-00000000C801}32804620C:\Windows\system32\sihost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 734700x80000000000000007990801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.218{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 10341000x80000000000000007990800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.312{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.312{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.312{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000007990797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.312{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+badc3|C:\Windows\System32\TwinUI.dll+bae62|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.312{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+badc3|C:\Windows\System32\TwinUI.dll+bae62|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.312{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+badc3|C:\Windows\System32\TwinUI.dll+bae62|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.312{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12a3cc|C:\Windows\System32\TwinUI.dll+b60d4|C:\Windows\System32\TwinUI.dll+b1e1b|C:\Windows\System32\TwinUI.dll+d206a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.312{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.312{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.312{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.312{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.218{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 10341000x80000000000000007990788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.296{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000007990787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.296{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 734700x80000000000000007990786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.296{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007990785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.218{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\ShellExperiences\QuickActions.dll-----MD5=5F0F953A3CA7BB75B253F73A80280DFF,SHA256=EEABE21D027065753AE69ED22837BE2AD938393322D04CD55908A416B6BDC2AE,IMPHASH=B46A96E8A6FA83C83AC2F12E70CB4E8EtrueMicrosoft WindowsValid 10341000x80000000000000007990784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.296{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000007990783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.296{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+bae7e|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.296{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+bae7e|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.296{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+bae7e|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.296{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12a3cc|C:\Windows\System32\TwinUI.dll+b60d4|C:\Windows\System32\TwinUI.dll+b1e1b|C:\Windows\System32\TwinUI.dll+d206a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.281{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.281{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.281{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\OneCoreUAPCommonProxyStub.dll10.0.14393.3808 (rs1_release.200707-2105)OneCoreUAP Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreUAPCommonProxyStub.dllMD5=9F8EF1431E82015CD1918582A770DB35,SHA256=FC2073DCE9AC41DBF338FAFE85F2429D6D3812573D2192C7A906C1D46E0AB4FA,IMPHASH=D919FF32201FBB7C5B3EF498D589EAE4trueMicrosoft WindowsValid 734700x80000000000000007990776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.281{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\dcomp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft DirectComposition LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdcomp.dllMD5=40873566DBFF13981CA1AE23AC281C5D,SHA256=E52C4619C837358454B969D31E2E14ACDEDABB384272D48C03E4F0AF9A2C2B6E,IMPHASH=9651C547656809410E78B358203C1A1DtrueMicrosoft WindowsValid 734700x80000000000000007990775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.281{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\DataExchange.dll10.0.14393.4169 (rs1_release.210107-1130)Data exchangeMicrosoft® Windows® Operating SystemMicrosoft CorporationDataExchange.dllMD5=23F499FA8F8E02A8090FB78E80617BDD,SHA256=08C2E505F3765D98379BB88DC8AD5555AB680A691054933FCA1A2CFCDFA42F51,IMPHASH=05056B92E29CCE6F97F9C6674AE080C0trueMicrosoft WindowsValid 734700x80000000000000007990774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.281{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x80000000000000007990773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.281{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\Windows.UI.Immersive.dll10.0.14393.4283 (rs1_release.210303-1802)WINDOWS.UI.IMMERSIVEMicrosoft® Windows® Operating SystemMicrosoft CorporationWINDOWS.UI.IMMERSIVE.dllMD5=4331AC493E264AF1378E0082194D07A5,SHA256=81B8E123110B9C7A34957B9176791AD86EA874315D4555FDC85CF20975E08D99,IMPHASH=C0750252600F63F4BA1D73794E8FE8C0trueMicrosoft WindowsValid 10341000x80000000000000007990772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.281{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.281{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.202{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll-----MD5=0E228864B61F7F5E4D33F72C618F543D,SHA256=504E33EBF729D4218E4D7DB15B4D8FBB1B46311500202F39B573FD4559B367B3,IMPHASH=C3A8AC93BD3CA4E8D990B94E36C71205trueMicrosoft WindowsValid 10341000x80000000000000007990769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.281{3BF36828-E8AA-60DD-0002-00000000C801}21363752C:\Windows\system32\taskhostw.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.281{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\TextInputFramework.dll10.0.14393.4169 (rs1_release.210107-1130)"TextInputFramework.DYNLINK"Microsoft® Windows® Operating SystemMicrosoft Corporation"TextInputFramework.DYNLINK"MD5=A5D471D5AA5008C13D15681FC09706DF,SHA256=16033864F3B5FFFB0A5E198CEE57840A21415E4BDB16D7B9A430CED8A8FFE687,IMPHASH=4B3A790624F27F9554D88782F051B709trueMicrosoft WindowsValid 734700x80000000000000007990767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.187{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\ShellExperiences\StartUI.dll10.0.14393.4169 (rs1_release.210107-1130)Start UIMicrosoft® Windows® Operating SystemMicrosoft CorporationStartUI.dllMD5=D33BFD3901C8A2158ACC19A3B807F54B,SHA256=ABA324A8045AD8EF972EAD49AE2ECA8FCCD555CD5B1E9C70ECD47F9EAEB870DC,IMPHASH=3AA6C3A76E933ADB4B6590860F73D157trueMicrosoft WindowsValid 734700x80000000000000007990766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.265{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8,IMPHASH=BC8DDE4D2412D48001350313FD2B7840trueMicrosoft WindowsValid 354300x80000000000000007990765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.606{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local59572- 354300x80000000000000007990764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.500{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-128.attackrange.local62218-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x80000000000000007990763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.500{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62218-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x80000000000000007990762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.496{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62217-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000007990761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.496{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62217-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000007990760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.492{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62216-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local49666- 354300x80000000000000007990759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.492{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62216-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local49666- 354300x80000000000000007990758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.492{3BF36828-DD0D-60DD-0D00-00000000C801}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62215-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 354300x80000000000000007990757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:13.492{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62215-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 734700x80000000000000007990756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.249{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\MrmCoreR.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows MRMMicrosoft® Windows® Operating SystemMicrosoft CorporationMrmCore.dllMD5=D730B5700BEB4A7E6E4244684356739C,SHA256=26083BEB490E48F5711D69A0E597B7A4CC6FB4B31EDCD535A0FF0DFBE4E6F8DD,IMPHASH=462A9FA6F44F25C68798F197AC8EC9D9trueMicrosoft WindowsValid 734700x80000000000000007990755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.249{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007990754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.218{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\d2d1.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft D2D LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationd2d1MD5=E15A420D82314AF63973D7D0AB3BA2DD,SHA256=C264B2FA1F3E67E558E2671807C06270926EF456F4FF83F1F9859B18184F187E,IMPHASH=5F8C6AF7D0781F35A516AEB072DAD045trueMicrosoft WindowsValid 734700x80000000000000007990753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.202{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\d3d10warp.dll10.0.14393.2608 (rs1_release.181024-1742)Direct3D 10 RasterizerMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10Warp.dllMD5=B69F0419A16A616FE2D779EC98CD7FB9,SHA256=2D10B43F2137433E48A009227487C691E312D186691485D33B4FDF90D8423C9D,IMPHASH=E32C7474360C94A9FE5E17141A4AB35FtrueMicrosoft WindowsValid 734700x80000000000000007990752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.187{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\d3d11.dll10.0.14393.4169 (rs1_release.210107-1130)Direct3D 11 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D11.dllMD5=EDCE49E7FDE3BD70DF70F05B8C47ACD4,SHA256=864EC8827EB03CDF7F2FC5E318283A7835E600CE548590C59E1DCF8BF8112089,IMPHASH=460DAE5CA92CB705C37D78BE630D6120trueMicrosoft WindowsValid 734700x80000000000000007990751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.187{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\msvcp110_win.dll10.0.14393.2007 (rs1_release.171231-1800)Microsoft® STL110 C++ Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp110_win.dllMD5=BFB390484F611C21582AD11E4C6ADEF2,SHA256=30B5AD268C022FCA2AACAE2CB6E4DC36F6A01C16A006046BB4417CEA96DA4F5A,IMPHASH=80A56C2FEE02149B4E326F9A62FF4B12trueMicrosoft WindowsValid 734700x80000000000000007990750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.187{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\policymanager.dll10.0.14393.4169 (rs1_release.210107-1130)Policy Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPolicyManager.dllMD5=58677E3FBF7D29109E8EB578062F1C81,SHA256=F751521EBC10CC1F0BC6AAB2715B9169439A014F178A7D6880080567D880C103,IMPHASH=E1BC13C6E7766D0332C0420A512C2799trueMicrosoft WindowsValid 23542300x80000000000000007990749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.187{3BF36828-E8AB-60DD-0602-00000000C801}3812ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpgMD5=29909D3B662A429603C439A25717C213,SHA256=1C83A5D03C17235C3249936859F101C2934B0A7D569553A0D97C97A332ABE1AC,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007990748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.187{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117,IMPHASH=BF1AF19CCBABA6D54178C43BE36CD985trueMicrosoft WindowsValid 23542300x80000000000000007990747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.155{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PrintService_OperationalMD5=F2A09B10EA72256AD81732A442DE4F7F,SHA256=F1DF2E5CCB263E824E4C0C64F0AA735C60EAA8C16C3113D3671B1ABD67C02FFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007990746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.155{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=84148D53E6ED0578A48B0E2B60DF7E97,SHA256=10359B8A83AB57ECF31E5C7B1CD9E60A04056218C82556E19D5EEE135C678334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007990745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.155{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PrintService_OperationalMD5=B7A3277E6CA8C0713F48BCE676F7AEC5,SHA256=9B25531F6B816E9ABF7A281EFFD0951FAB2C8083D591A727ECA3C56635F9FDAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007990744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.155{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=46ABE0E70FE77E9510FBC2A8963EFF99,SHA256=6EAB124E15F0D2413BD292021B46E79447F71E5BB921E952D49B9D691D7AE228,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007990743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.093{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\Windows.Web.dll10.0.14393.4169 (rs1_release.210107-1130)Web Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Web.dllMD5=399F7366C5D75F1B7E804DDB0A6069D0,SHA256=F365F479ED03EF60BE3E78DA076BF1FC6E10AC4A2511C54D59AA14A7FD52A201,IMPHASH=A4CE8C0D67248A4EE97935AB72FBAB58trueMicrosoft WindowsValid 734700x80000000000000007990742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.093{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\ResourcePolicyClient.dll10.0.14393.3808 (rs1_release.200707-2105)Resource Policy ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationResourcePolicyClient.dllMD5=8FD5FEFE4E020BBC2D95F07BCDC84F71,SHA256=E5E351822CCDEBF81C47C4CA1D5C158E2880C1BD29CA024D163FD9316F3046AE,IMPHASH=E494F732179E765F2CE18BC21CDB1948trueMicrosoft WindowsValid 734700x80000000000000007990741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.093{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\dxgi.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3C32D763740C83DB2C44DEA4B6F18C54,SHA256=ED26DBB9C3656767CA25887CDC3B45CF978AFC75E064FF5457A36C7A69E55223,IMPHASH=83736A76214A92F5C1B53248D0C22863trueMicrosoft WindowsValid 734700x80000000000000007990740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.093{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\CoreUIComponents.dll-----MD5=938961BA199F9626C72673E8D67A0D56,SHA256=92414B7F78A45D4DE494F3283B2A33A1F422E32F73C1733AA9071EE0B89ADC5E,IMPHASH=E1E6E93CD96B5C1875509E930B2B8C21trueMicrosoft WindowsValid 734700x80000000000000007990739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.093{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x80000000000000007990738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.093{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 10341000x80000000000000007990737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.093{3BF36828-DD0D-60DD-0F00-00000000C801}3443548C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.093{3BF36828-DD0D-60DD-0F00-00000000C801}3441364C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.093{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x80000000000000007990734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.093{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\Windows.UI.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Runtime UI Foundation DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.dllMD5=FEC31833E8D13591BAECE59B8E39F53C,SHA256=424BAEA0DC8EF34305A881F9B36F22E8CFECA403A0D03B61782D69535387A401,IMPHASH=B073DE28C43175420FE754415439CCEAtrueMicrosoft WindowsValid 734700x80000000000000007990733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.077{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x80000000000000007990732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.093{3BF36828-DD0D-60DD-0D00-00000000C801}924C:\Windows\System32\svchost.exeC:\Windows\System32\capauthz.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Capability Authorization APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationcapauthz.dllMD5=23F19228D21BADC021EE9105326116F4,SHA256=A80DFA852F9DCD6D4CDB9A202E122B4765E77E18A0C8E436D9A080464257A7BB,IMPHASH=512E63FF45CABF98ADB36E36331EFB3DtrueMicrosoft WindowsValid 10341000x80000000000000007990731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.093{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.077{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 10341000x80000000000000007990729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.093{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.077{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\WinTypes.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=AAA321C636929D23C58B5A78EDA04B61,SHA256=E33D62CC132B8D790B3604DBE227CD2A270E30C1B71881BB4E3B00732CE56E5C,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 734700x80000000000000007990727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.077{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007990726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.077{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 734700x80000000000000007990725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.077{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007990724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.077{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=5541A4A7FB64063F8AFB192ABD4DAE70,SHA256=AABF2E6C392F29B77F076BF705976B68B3100138BC63060335BD154B8417754D,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 23542300x80000000000000007990723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.077{3BF36828-E8AB-60DD-0602-00000000C801}3812ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Notifications\WPNPRMRY.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007990722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.046{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe10.0.14393.2339 (rs1_release_inmarket.180611-1502)Windows Shell Experience HostMicrosoft® Windows® Operating SystemMicrosoft CorporationShellExperienceHost.exeMD5=F1F8E4A28017800BEDDEA618CD3CF1D3,SHA256=E884B7DC5DD2B08CAB7C45FDAA9ECDED8FF547778563A10ECB0DE71DDA71CEB7,IMPHASH=2BE1E9F897944F4BA16B0858AA9BAA70trueMicrosoft WindowsValid 734700x80000000000000007990721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.062{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007990720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.062{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\CoreMessaging.dll10.0.14393.3930Microsoft CoreMessaging DllMicrosoft® Windows® Operating SystemMicrosoft CorporationCoreMessaging.dllMD5=3D9D2F367587B2E93F2868F52D4ACBDD,SHA256=B4B27A7D4B9B685B6015D090B6A3E0E578AFBDE8D6C06A8F2E606A439D5A4BA4,IMPHASH=92CA7117B99353AC45978E95EEB5A46DtrueMicrosoft WindowsValid 734700x80000000000000007990719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.062{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\BCP47Langs.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)BCP47 Language ClassesMicrosoft® Windows® Operating SystemMicrosoft CorporationBCP47Lang.dllMD5=F688C2B9DD2EB56C3B0312B6380338AA,SHA256=B22DB210486D3B5F4EEB17900C5E7AA0EEFEDBB068A0C4858EFE9F8018C34628,IMPHASH=31EA1856BC7597303D8126028BBFDFB8trueMicrosoft WindowsValid 734700x80000000000000007990718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.062{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007990717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.062{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007990716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.062{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007990715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.062{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007990714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.062{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\Windows.UI.Xaml.dll10.0.14393.4402 (rs1_release.210426-1725)Windows.UI.Xaml dllMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.Xaml.dllMD5=D3AABF7BF9CFBD51194C622C0A6A7D78,SHA256=86F89179208C22EE22AD51820FCE323D0F1EF160F7ABB6EE8AB6F858AB4CDDD9,IMPHASH=B872FEAB4926DE1D74C3DF5AC4E62C2CtrueMicrosoft WindowsValid 734700x80000000000000007990713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.062{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007990712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.046{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007990711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.046{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007990710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.046{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007990709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.046{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007990708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.046{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007990707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.046{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\wincorlib.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows ® WinRT core libraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwincorlib.DLLMD5=F08F4542548A5CD4F521491164598021,SHA256=D60844E5A091DD42CB1BC03CA76B8BBAF55C5B1A9EC3F1403AB241DDE36CA630,IMPHASH=7118E177B350BBAD51DE9533CF52B852trueMicrosoft WindowsValid 734700x80000000000000007990706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.046{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007990705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.046{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x80000000000000007990704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.046{3BF36828-E8A8-60DD-F501-00000000C801}2576416C:\Windows\system32\csrss.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000007990703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.046{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007990702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.046{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007990701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.046{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+f997|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000007990700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.046{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+3844|C:\Windows\SYSTEM32\psmserviceexthost.dll+1470c|C:\Windows\SYSTEM32\psmserviceexthost.dll+f933|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 734700x80000000000000007990699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.046{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007990698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.046{3BF36828-E8AA-60DD-FD01-00000000C801}32803668C:\Windows\system32\sihost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+47ca8|C:\Windows\System32\modernexecserver.dll+47c41|C:\Windows\System32\modernexecserver.dll+19c8a|C:\Windows\System32\modernexecserver.dll+1f6f8|C:\Windows\SYSTEM32\twinapi.appcore.dll+32a67|C:\Windows\SYSTEM32\twinapi.appcore.dll+32870|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.046{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007990696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.046{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+4401|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007990695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.015{3BF36828-DD0C-60DD-0C00-00000000C801}864C:\Windows\System32\svchost.exeC:\Windows\System32\capauthz.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Capability Authorization APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationcapauthz.dllMD5=23F19228D21BADC021EE9105326116F4,SHA256=A80DFA852F9DCD6D4CDB9A202E122B4765E77E18A0C8E436D9A080464257A7BB,IMPHASH=512E63FF45CABF98ADB36E36331EFB3DtrueMicrosoft WindowsValid 734700x80000000000000007990694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.015{3BF36828-DD0C-60DD-0C00-00000000C801}864C:\Windows\System32\svchost.exeC:\Windows\System32\LicenseManagerApi.dll10.0.14393.0 (rs1_release.160715-1616)"LicenseManagerApi.DYNLINK"Microsoft® Windows® Operating SystemMicrosoft Corporation"LicenseManagerApi.DYNLINK"MD5=31B3ED1AF471A91B8FF47A77040C7CA7,SHA256=C188DA35C0479E5A69F4222F4CB6C6CA6D003CF3D77444BCDA8A6BCFECFDF945,IMPHASH=AD5B788776BE99C6255C162BCC27F77BtrueMicrosoft WindowsValid 734700x80000000000000007990693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.999{3BF36828-E8AA-60DD-FD01-00000000C801}3280C:\Windows\System32\sihost.exeC:\Windows\System32\LicenseManagerApi.dll10.0.14393.0 (rs1_release.160715-1616)"LicenseManagerApi.DYNLINK"Microsoft® Windows® Operating SystemMicrosoft Corporation"LicenseManagerApi.DYNLINK"MD5=31B3ED1AF471A91B8FF47A77040C7CA7,SHA256=C188DA35C0479E5A69F4222F4CB6C6CA6D003CF3D77444BCDA8A6BCFECFDF945,IMPHASH=AD5B788776BE99C6255C162BCC27F77BtrueMicrosoft WindowsValid 734700x80000000000000007990692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.984{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\dsreg.dll10.0.14393.4225 (rs1_release.210127-1811)AD/AAD User Device RegistrationMicrosoft® Windows® Operating SystemMicrosoft Corporationdsreg.dllMD5=A9077C17AA04BDD1DBEDD357767E704F,SHA256=E9599D4BA5469F080CEEE8CEFB2DF979B69DA3349EAD3B2CCF12B15D15955E60,IMPHASH=E8BB9C37B47F089EC5F0B7E4C7A2B72EtrueMicrosoft WindowsValid 734700x80000000000000007990691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.999{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\rmclient.dll10.0.14393.4169 (rs1_release.210107-1130)Resource Manager ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationrmclient.dllMD5=D3ABCEC776B1B1D7457A2E8E05F79EE3,SHA256=C368321C5BB811D937E8ABDD2BC3EB959BB8B65F49C104B5AD746129E4E5D169,IMPHASH=FE4203B37BF9B6CEA63D659FD081E423trueMicrosoft WindowsValid 10341000x80000000000000007990690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.999{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007990689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.999{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015899327Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:16.452{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B02EBB953FD5586BD5E6936A833458D0,SHA256=0D11C4F225101DF6568B9E0CFD59DAE0CF65FF8B0111DBF0E0FF27E4B7B45CD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899326Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:16.373{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37F8705774DD0556245DB6E6FF6B5F4E,SHA256=2ADA503EBC032D43CBBB2CA0B79BD22FDBAF7D5A0F50721E1594C1702B79FC54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899325Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:16.373{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFCA9E10B32C4D3C435912887265C4A1,SHA256=349880CE57936E19B55EC170C28C14F590E1C78DDD82E9541CB215874C9B3937,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007991303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.984{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\NotificationControllerPS.dll10.0.14393.4169 (rs1_release.210107-1130)NotificationController Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationNotificationControllerPS.dllMD5=A5453734AC6CA757BA12004670C3FBCC,SHA256=944D8B92EC00670B96CB6A95A9BD77C883E4FD8AB3058D3DCCA054019817642C,IMPHASH=0758742D84D6F4FC903F625AE4A508ABtrueMicrosoft WindowsValid 10341000x80000000000000007991302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.984{3BF36828-DD1D-60DD-2B00-00000000C801}12805096C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000007991301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.984{3BF36828-DD1D-60DD-2B00-00000000C801}12805096C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 18141800x80000000000000007991300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-ConnectPipe2021-07-01 16:09:17.984{3BF36828-E8AB-60DD-0602-00000000C801}3812\TDLN-3812-41C:\Windows\Explorer.EXE 17141700x80000000000000007991299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-CreatePipe2021-07-01 16:09:17.984{3BF36828-DD1D-60DD-2B00-00000000C801}1280\TDLN-3812-41C:\Windows\system32\svchost.exe 10341000x80000000000000007991298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.984{3BF36828-DD1D-60DD-2B00-00000000C801}12805096C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000007991297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.984{3BF36828-DD1D-60DD-2B00-00000000C801}12805096C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x80000000000000007991296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.984{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.984{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.984{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.984{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.984{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.984{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.984{3BF36828-E8AB-60DD-0602-00000000C801}38124944C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+37bbe|C:\Windows\System32\wpncore.dll+232a3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x80000000000000007991289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.984{3BF36828-E8AB-60DD-0602-00000000C801}38124944C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+38e70|C:\Windows\System32\wpncore.dll+23267|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x80000000000000007991288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.984{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.984{3BF36828-E8AB-60DD-0602-00000000C801}38124944C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+37bbe|C:\Windows\System32\wpncore.dll+232a3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x80000000000000007991286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.984{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.984{3BF36828-E8AB-60DD-0602-00000000C801}38124944C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+38e70|C:\Windows\System32\wpncore.dll+23267|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x80000000000000007991284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.984{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.984{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.984{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.984{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.796{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x80000000000000007991279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\dhcpcsvc.dll10.0.14393.3930 (rs1_release.200901-1914)DHCP Client ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc.dllMD5=CD3B9633BBEF2102C4665A2C39EC0B1A,SHA256=341EFB4806BE39E09AA90CA3B069C39F2A9D61FA9B512350B2721D41875AFCAE,IMPHASH=9A2F821D250C4CEBC0627590331B869DtrueMicrosoft WindowsValid 734700x80000000000000007991278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\dhcpcsvc6.dll10.0.14393.3930 (rs1_release.200901-1914)DHCPv6 ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc6.dllMD5=1721EAC44BCFC7177AA664ADCA514F23,SHA256=C099BCCE44A04A48147DE8CF093EBF997510154113789BF31394B5148F60B375,IMPHASH=1278B10B4CD792CEC37AF93D76A387ECtrueMicrosoft WindowsValid 734700x80000000000000007991277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\ncsi.dll10.0.14393.3808 (rs1_release.200707-2105)Network Connectivity Status IndicatorMicrosoft® Windows® Operating SystemMicrosoft Corporationncsi.dllMD5=78646C8B3BF9EB0B04C42A867D243917,SHA256=2D2BDD50AAE11BA992B49173DF8E0584CDAB985316C4C7FFD8B7EEA9A5E0CAEA,IMPHASH=6685F48AA931C655960BB67E0AED846CtrueMicrosoft WindowsValid 734700x80000000000000007991276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\bthprops.cpl10.0.14393.3808 (rs1_release.200707-2105)Bluetooth Control Panel AppletMicrosoft® Windows® Operating SystemMicrosoft Corporationbluetooth.cplMD5=DE3EDA0A56627BA2D370683288A89BDF,SHA256=DABB8E2A9DE0F9ED3132381979CEC726C21637BDD534F9A17A334609554FE2F4,IMPHASH=1CEDFDBA86FAA9D02E72E3FE7B696BCAtrueMicrosoft WindowsValid 10341000x80000000000000007991275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.827{3BF36828-E8AD-60DD-0A02-00000000C801}22202216C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.827{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007991273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.827{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007991272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.671{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 734700x80000000000000007991271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.812{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\networkexplorer.dll10.0.14393.0 (rs1_release.160715-1616)Network ExplorerMicrosoft® Windows® Operating SystemMicrosoft CorporationNetworkExplorer.DLLMD5=889484BE2979D3C693D194BF4E5F2C82,SHA256=BC046600D8B8DA1652AD584DFAC4D799D4E772BFAF833C50B8F2F91D7D65D6B6,IMPHASH=82DF5355ECE040AB2EB1CF3A3223A564trueMicrosoft WindowsValid 734700x80000000000000007991270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.812{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117,IMPHASH=BF1AF19CCBABA6D54178C43BE36CD985trueMicrosoft WindowsValid 10341000x80000000000000007991269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.781{3BF36828-E8AA-60DD-FB01-00000000C801}22484256C:\Windows\System32\rdpclip.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+60bba|C:\Windows\System32\SHELL32.dll+d5304|C:\Windows\System32\SHELL32.dll+d4f58|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007991268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.781{3BF36828-E8AA-60DD-FB01-00000000C801}22484256C:\Windows\System32\rdpclip.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+60ba8|C:\Windows\System32\SHELL32.dll+d5304|C:\Windows\System32\SHELL32.dll+d4f58|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000007991267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.781{3BF36828-E8AA-60DD-FB01-00000000C801}22484256C:\Windows\System32\rdpclip.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+60ba8|C:\Windows\System32\SHELL32.dll+d5304|C:\Windows\System32\SHELL32.dll+d4f58|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 13241300x80000000000000007991266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localT1122SetValue2021-07-01 16:09:17.781{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{9F9F77EA-17B8-416F-936D-9E593DDCC5A6}\InProcServer32\(Default)%%SystemRoot%%\system32\shdocvw.dll 13241300x80000000000000007991265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localT1122SetValue2021-07-01 16:09:17.781{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeHKCR\CLSID\{9F9F77EA-17B8-416F-936D-9E593DDCC5A6}\InProcServer32\(Default)%%SystemRoot%%\system32\shdocvw.dll 734700x80000000000000007991264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.671{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\EthernetMediaManager.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Ethernet Media Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationEthernetMediaManager.dllMD5=B5BA96461038DA7E0AA55D3638F0B91E,SHA256=1DE4EA2025E240947CB26846D56DADEE5EC205C378C2FAB7E02D1E32EF0635AA,IMPHASH=8F90DC29538D5B5A35ABD95C8C64036DtrueMicrosoft WindowsValid 734700x80000000000000007991263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.656{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\NetworkUXBroker.dll10.0.14393.4169 (rs1_release.210107-1130)NetworkUXBroker DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetworkUXBroker.dllMD5=07CD75F719EA4691CF436BA035A2A1D3,SHA256=1EA53FB623F13D99F1222C31C97DD071953DE9E9765A2739C80F342DCCE671C4,IMPHASH=8959E2C95C1123988C49A5551F6A2AD6trueMicrosoft WindowsValid 734700x80000000000000007991262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.577{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\duser.dll10.0.14393.0 (rs1_release.160715-1616)Windows DirectUser EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationDUser.DLLMD5=42D5E1F8641E9DCEE0D8751F6F7A8961,SHA256=9168110EF404BF179888AF4A0F02B2817F020BFB16351778F2DDD6915C92F190,IMPHASH=9134DC493583245CFD7E3B68926C19D0trueMicrosoft WindowsValid 734700x80000000000000007991261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.702{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\BluetoothApis.dll10.0.14393.1198 (rs1_release_sec.170427-1353)Bluetooth Usermode Api hostMicrosoft® Windows® Operating SystemMicrosoft CorporationBluetoothApis.DLLMD5=780EF18321894E459A39844E6CFCB783,SHA256=E69C470BD51DE399D1CD1CC44C3B4B376D71729DD2F4F114C368E3AD28EA9915,IMPHASH=565BE656E1DABB7885CE440B41B76C57trueMicrosoft WindowsValid 734700x80000000000000007991260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.702{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007991259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.702{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007991258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.702{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 10341000x80000000000000007991257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.702{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.702{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007991255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.702{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007991254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.702{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007991253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.702{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007991252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.702{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007991251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.702{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007991250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.562{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\hgcpl.dll10.0.14393.4169 (rs1_release.210107-1130)HomeGroup Control PanelMicrosoft® Windows® Operating SystemMicrosoft CorporationHGCPL.DLLMD5=DC8D07B9CF228329BC6EC2AD2FE5917A,SHA256=6CE9AEE63EFAB7A1C6493212EEA43D9ADA12EF0F908A84CBDF29D96227CA0E87,IMPHASH=E8054087663A93B4266F37CB7A7BDE86trueMicrosoft WindowsValid 734700x80000000000000007991249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007991248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007991247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007991246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007991245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007991244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007991243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007991242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007991241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007991240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007991239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007991238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007991237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007991236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007991235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007991234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007991233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007991232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007991231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.546{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\imapi2.dll10.0.14393.4169 (rs1_release.210107-1130)Image Mastering API v2Microsoft® Windows® Operating SystemMicrosoft CorporationIMAPI2.DLLMD5=44562354CC4E231D97AD196D66D50537,SHA256=0606474497D8904942E9F1BD442230CDBAB4C8816693E672F8FF2B44CEB6531D,IMPHASH=06F1B75E24F8D9CAAE89D821296D1179trueMicrosoft WindowsValid 734700x80000000000000007991230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007991229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007991228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007991227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007991226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007991225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007991224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007991223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007991222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007991221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007991220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007991218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.687{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007991217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.671{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007991216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.671{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.671{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.671{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.671{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.671{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007991211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.671{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007991210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.564{3BF36828-E8AD-60DD-0A02-00000000C801}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007991209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.531{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\SyncCenter.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft Sync CenterMicrosoft® Windows® Operating SystemMicrosoft CorporationSyncCenter.dllMD5=49F83E1B491CB58D7BC8830D7C62DBAA,SHA256=B358167D7F2F4CD7CCA9EA580214C30EE12F9BAD2D51241CF2BA7007A1A9A7A1,IMPHASH=A0FBA8A96731CFAF117D666096CB75B3trueMicrosoft WindowsValid 734700x80000000000000007991208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.656{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\npmproxy.dll10.0.14393.4169 (rs1_release.210107-1130)Network List Manager ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationnpfproxy.dllMD5=4D76C6FAF3D01B31A68C9ABF95F4B7D4,SHA256=9B771613C067880E99ED3D68E6C2A43C6B252E899D44682ADEB5A7F02E925920,IMPHASH=55727E718711848BBCDC7F433974B473trueMicrosoft WindowsValid 734700x80000000000000007991207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.499{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\authui.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Authentication UIMicrosoft® Windows® Operating SystemMicrosoft CorporationAUTHUI.DLLMD5=3574681801DA0EA13EA0AC86ADA31F60,SHA256=058666E94BACD9D17459832E0848C5C29EAB04C06F69428D7FF5E5AF77E46F34,IMPHASH=42B08A89EC0A1C146ED96A9FCBBADF9AtrueMicrosoft WindowsValid 734700x80000000000000007991206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.468{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\pnidui.dll10.0.14393.4169 (rs1_release.210107-1130)Network System IconMicrosoft® Windows® Operating SystemMicrosoft CorporationPNIDUI.DLLMD5=9C486CEE13F3B81CB8B9A7C20F4BE723,SHA256=06D3847DBEC23AFDBC8B239AFEAC7F5290D4F8AFB046586916931DECF5497D31,IMPHASH=EE3BA99068D6471A864823C9D0CBCD1DtrueMicrosoft WindowsValid 734700x80000000000000007991205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.421{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\cscobj.dll10.0.14393.4169 (rs1_release.210107-1130)In-proc COM object used by clients of CSC APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCSCOBJ.DLLMD5=850613912A28BFC344A4B137495E5EDF,SHA256=0D43250573ED2274866893CED721523F0DFB9B75B2B75062E5E690543A96764F,IMPHASH=BA446D9473A9C87DC3CDD702C5B83451trueMicrosoft WindowsValid 734700x80000000000000007991204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.390{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\SettingMonitor.dll10.0.14393.4169 (rs1_release.210107-1130)Setting Synchronization Change MonitorMicrosoft® Windows® Operating SystemMicrosoft CorporationSettingMonitor.dllMD5=21CA16C234E83B08D11ACFC8659D816D,SHA256=987A75990FEE71AA3787F820D7B40E0398658E8E29A74038802C7C9FE2B8709B,IMPHASH=5D2ABA6347EF9030E42DF0EDEEF09763trueMicrosoft WindowsValid 734700x80000000000000007991203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.359{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\PortableDeviceApi.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Portable Device API ComponentsMicrosoft® Windows® Operating SystemMicrosoft CorporationPortableDeviceApi.dllMD5=FF995A3411623293F7E3FD72143D04AB,SHA256=ACEA65301D759F922BDB1AB8DD52B57828FF4D64106A93C3EEAF89553466EA58,IMPHASH=670903BD81DFC5646551677350D72117trueMicrosoft WindowsValid 734700x80000000000000007991202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.359{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\PortableDeviceTypes.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Portable Device (Parameter) Types ComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationPortableDeviceTypes.dllMD5=8B7D4BF15CA6B5296D92CDA88FDEDC6D,SHA256=0FD1713F113867CAF49DD9EE8D9D0BB29E7DEC9C2D535D401894C97A2FFE3F44,IMPHASH=58E2278499A2DCD81A714F7A4188E66DtrueMicrosoft WindowsValid 734700x80000000000000007991201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.359{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\WPDShServiceObj.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Portable Device Shell Service ObjectMicrosoft® Windows® Operating SystemMicrosoft CorporationWpdShServiceObj.dllMD5=E228D2578796FEA23B540352A0DC121E,SHA256=9D0A2B34A75910B5D4D72E217233311CCF0EF4CDC18698A6885C44CF5D04971E,IMPHASH=4190E054AA0C800FCB35E208D6DC9800trueMicrosoft WindowsValid 734700x80000000000000007991200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.296{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\Syncreg.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft Synchronization Framework RegistrationMicrosoft Synchronization FrameworkMicrosoft CorporationSYNCREG.DLLMD5=0C47863A9F26013744AD7AE7E203CB06,SHA256=C0575DBE635FBB9A6C5F9F2A5C2ECDDB70B7805C17A631AC6019C40525C6164D,IMPHASH=2DABABAB593D0686E55A6D198A6FA489trueMicrosoft WindowsValid 734700x80000000000000007991199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.281{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\ActionCenter.dll10.0.14393.4169 (rs1_release.210107-1130)Security and MaintenanceMicrosoft® Windows® Operating SystemMicrosoft CorporationACTIONCENTER.DLLMD5=894A9A7D185250367F650945589C91B3,SHA256=FBED0CE0F95208841AE9778927EDC5A37338AC6340DD2B1D705356A045F345B8,IMPHASH=08593118634361D3F104CE257BE8343FtrueMicrosoft WindowsValid 734700x80000000000000007991198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.265{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\shdocvw.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Doc Object and Control LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHDOCVW.DLLMD5=8B11D3C830CE57D11CE7BA9908919A4E,SHA256=1A1576040191F0F65891E2C936645C3962D1495B9B0779D0467D137AAF073CB7,IMPHASH=9D1FE7038ABEEB7488CABF24DD6C4471trueMicrosoft WindowsValid 734700x80000000000000007991197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.265{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\DXP.dll10.0.14393.4169 (rs1_release.210107-1130)Device Stage Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft CorporationDXP.DllMD5=FB199E7BF7E116E3D487599B01C50304,SHA256=7F5CA5BF0A8D61FDE9B782AEA185FFDAFFE874ABE3E20595762B0790161DF67C,IMPHASH=255F44F5C3D713142CD0ADDA59D8BAAFtrueMicrosoft WindowsValid 734700x80000000000000007991196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\atlthunk.dll10.0.14393.2969 (rs1_release.190503-1820)atlthunk.dllMicrosoft® Windows® Operating SystemMicrosoft Corporationatlthunk.dllMD5=BECA5E9FA540246333036919A57B7AEF,SHA256=62C24B274B38A88C83EE122CB30142C2135953C1A26582AD003512B238CB7FC9,IMPHASH=E86BAF1A171668A11110B8975A3BDE27trueMicrosoft WindowsValid 734700x80000000000000007991195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\prnfldr.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)prnfldr dllMicrosoft® Windows® Operating SystemMicrosoft Corporationprnfldr.dllMD5=441981BDFF89D1BC015ABE9F4895BE8B,SHA256=CC5C9A451FD600370DBB3584CD726FD53A2C9576E37612BAE465F63EF4B8BCA8,IMPHASH=C3905092C32AEFDC2AE36543347774CBtrueMicrosoft WindowsValid 734700x80000000000000007991194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.156{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007991193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.156{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007991192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.499{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\netprofm.dll10.0.14393.4169 (rs1_release.210107-1130)Network List ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationnetprofm.dllMD5=02AD37C3C2D54BCD9E7BD2AFF3D6E7A6,SHA256=D71D631EC1790A9BD9451EFAEFC7EBADE6353A17CDBB4D8AAACD3102430A686E,IMPHASH=421DFA99869D231800F1E7ABEE7E4DA4trueMicrosoft WindowsValid 734700x80000000000000007991191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.499{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\drprov.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft Remote Desktop Session Host Server Network ProviderMicrosoft® Windows® Operating SystemMicrosoft CorporationDRPROV.DLLMD5=F8938A1C822E99524F4D48BF649D369B,SHA256=5CDAFF537EA8ACDCAC20E5638D3A5101D8356D1C64AF89E74895ED1DBE80A2C5,IMPHASH=5D8958906B8085054F7711F3A2BF41C6trueMicrosoft WindowsValid 734700x80000000000000007991190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.499{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exeC:\Windows\System32\ntlanman.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Microsoft® Lan ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationntlanman.dllMD5=D82162DD970C408025FB1D768E4EBAA2,SHA256=BB3EF060353AB42EA998B64DCF560C75DA93F13CFCB7C2DC7BDC981B241685DA,IMPHASH=18AB3DEF84B0CFFB8B6E912879950011trueMicrosoft WindowsValid 734700x80000000000000007991189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.046{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\batmeter.dll10.0.14393.0 (rs1_release.160715-1616)Battery Meter Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationBATMETER.DLLMD5=F153D5ACB982738EB8302DB4807703D8,SHA256=7FB15C9EE0EA88181DEABF88E36C4862CE6461AD0DC94FD8FF1B9FEFC755F8EA,IMPHASH=7BE0E1C51D4DD0627F907FBFB0F4FF65trueMicrosoft WindowsValid 734700x80000000000000007991188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.468{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\srchadmin.dll7.0.14393.4169 (rs1_release.210107-1130)Indexing OptionsWindows® SearchMicrosoft Corporationsrchadmin.dllMD5=984D2D97D11309A3E8A1135B4922DF2E,SHA256=BE4BFF07131F1935515E852684CB826CC8C62E9B72176BAE0AD6A24CE97E59BD,IMPHASH=CA5EB583B382AB819BA897013DBBAB37trueMicrosoft WindowsValid 734700x80000000000000007991187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.031{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\SystemEventsBrokerClient.dll10.0.14393.4402 (rs1_release.210426-1725)system Events Broker Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSystemEventsBrokerClient.dllMD5=46BA713819EF1E3C5F65B0464E6D1C65,SHA256=6EDA91DEDCBFBB92A35DD9B847036D959297045A1220994A6B8AFC12AB63B0B7,IMPHASH=4FEED1526B11CE741F11F9B4852A7936trueMicrosoft WindowsValid 734700x80000000000000007991186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.031{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll-----MD5=48CC993F1537689141ED8C1E5FB2A23C,SHA256=9C6ED738147E830F4D457E7568A9651EF90F94748AC3522BC2168AA63B0B6D27,IMPHASH=648E3B96406BCB4B914ECF68F478005FtrueMicrosoft WindowsValid 10341000x80000000000000007991185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.421{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+1a9001|C:\Windows\System32\TwinUI.dll+bade1|C:\Windows\System32\TwinUI.dll+bae62|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.421{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+1a9001|C:\Windows\System32\TwinUI.dll+bade1|C:\Windows\System32\TwinUI.dll+bae62|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.421{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+1a9001|C:\Windows\System32\TwinUI.dll+bade1|C:\Windows\System32\TwinUI.dll+bae62|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.421{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+badc3|C:\Windows\System32\TwinUI.dll+bae62|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.421{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+badc3|C:\Windows\System32\TwinUI.dll+bae62|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.421{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12a3cc|C:\Windows\System32\TwinUI.dll+b60d4|C:\Windows\System32\TwinUI.dll+b1e1b|C:\Windows\System32\TwinUI.dll+d206a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.015{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007991178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.015{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007991177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.999{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007991176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.999{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007991175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.984{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007991174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.984{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007991173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.984{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007991172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.984{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007991171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.984{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007991170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.984{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007991169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.984{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007991168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.968{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 734700x80000000000000007991167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.281{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\wevtapi.dll10.0.14393.3053 (rs1_release_inmarket.190612-1836)Eventing Consumption and Configuration APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtapi.dllMD5=E0D1C6AC18800339A2EC1134A7C899ED,SHA256=E4340ACB47A202B1BFCE678C44BA5B0B171E388021B0B7D0CED19A55AD9712E1,IMPHASH=4CAFDD735088F52AC974373982DCCDF2trueMicrosoft WindowsValid 734700x80000000000000007991166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.952{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\Windows.ApplicationModel.Background.SystemEventsBroker.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Background System Events Broker API ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.ApplicationModel.Background.SystemEventsBroker.dllMD5=CA9C668C4CA98136A8BF861A6851E6F2,SHA256=8EFA4C1034B0743638D99D6897B98C86E8A1AAB798AF390A0CB343E32055DC55,IMPHASH=8F369C84E30D6D0A93B10A043079A52BtrueMicrosoft WindowsValid 10341000x80000000000000007991165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.249{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.249{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.249{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\NotificationObjFactory.dll10.0.14393.4169 (rs1_release.210107-1130)Notifications Object FactoryMicrosoft® Windows® Operating SystemMicrosoft CorporationNotificationObjFactory.dllMD5=8CF2F5F4931740AA755ED420B4B34F06,SHA256=A883F16802A8F83B788F88A370E9BBB2F35E1BF293E3D7A69BB31A6564CBB44C,IMPHASH=7BB215E22200D988FC064DB3FC5F5641trueMicrosoft WindowsValid 734700x80000000000000007991162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.952{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\Windows.ApplicationModel.Background.TimeBroker.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Background Time Broker API ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.ApplicationModel.Background.TimeBroker.dllMD5=F207D5F13B4BAA9B019069417D8EBBAF,SHA256=3CD84A59971EBE4F15D80C3AC601F5909F659460C7E7044052738473A5B60A5C,IMPHASH=4C27BF49B65386EF2EC96A3494DD1C13trueMicrosoft WindowsValid 734700x80000000000000007991161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.952{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843,IMPHASH=EAA4328F5E33714FA08C71E4AAE43CC1trueMicrosoft WindowsValid 734700x80000000000000007991160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.952{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4,IMPHASH=B6A1A16A2B5E910045E998CD7709E966trueMicrosoft WindowsValid 10341000x80000000000000007991159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.234{3BF36828-DD0D-60DD-1100-00000000C801}6402004C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 734700x80000000000000007991158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.937{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll-----MD5=D1DC08AA3FC8448B0D8736B166D003EF,SHA256=16FEF33788098D770129C0783119E2E6223B8E4EE0750C193DBC1262F6430573,IMPHASH=096E4D7EEA8F8064E8C1CFED746DD2DDtrueMicrosoft WindowsValid 734700x80000000000000007991157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.234{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\es.dll2001.12.10941.16384 (rs1_release.201002-1707)COM+Microsoft® Windows® Operating SystemMicrosoft CorporationES.DLLMD5=C82536B6DCD3370E13D1D34D4A05F13F,SHA256=CD636DCC4516803B77C2CDFECF3A14ADF25F7A8B00F23F1D57A7BA7BD87663DF,IMPHASH=D7A4AD00167880B37A17C79825E9F4B4trueMicrosoft WindowsValid 734700x80000000000000007991156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.937{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\Windows.UI.Shell.dll10.0.14393.953 (rs1_release_inmarket.170303-1614)Shell UIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.Shell.dllMD5=E846C46274FEE4B17C44D4BA7CBB0FF3,SHA256=B66E27230BD545D3FAB1B6863D00426881A567E3F690D621B1032C9D540DF500,IMPHASH=2F0699FA60395C4D566E50B1CB23B77EtrueMicrosoft WindowsValid 734700x80000000000000007991155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.937{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0,IMPHASH=FED414075FF3F23F21C898B1860393B4trueMicrosoft WindowsValid 734700x80000000000000007991154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.921{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\NotificationControllerPS.dll10.0.14393.4169 (rs1_release.210107-1130)NotificationController Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationNotificationControllerPS.dllMD5=A5453734AC6CA757BA12004670C3FBCC,SHA256=944D8B92EC00670B96CB6A95A9BD77C883E4FD8AB3058D3DCCA054019817642C,IMPHASH=0758742D84D6F4FC903F625AE4A508ABtrueMicrosoft WindowsValid 734700x80000000000000007991153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.921{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\stobject.dll10.0.14393.4169 (rs1_release.210107-1130)Systray shell service objectMicrosoft® Windows® Operating SystemMicrosoft Corporationstobject.dllMD5=A76D6B05E775978F93791F65EEAF50CA,SHA256=632A9C4386778CA416C72ED2FBFEA54C4F8BDA60522B38C3E40C1F01F09BD9E0,IMPHASH=964C4ECCB9E6E5D7A09BB663441EC016trueMicrosoft WindowsValid 10341000x80000000000000007991152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.187{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.187{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.187{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.187{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.187{3BF36828-E8AA-60DD-FD01-00000000C801}3280920C:\Windows\system32\sihost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007991147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.187{3BF36828-E8AA-60DD-FD01-00000000C801}3280920C:\Windows\system32\sihost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007991146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.187{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.187{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.187{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000007991143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.187{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.187{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.187{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.187{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.890{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\msftedit.dll10.0.14393.4169 (rs1_release.210107-1130)Rich Text Edit Control, v8.5Microsoft® Windows® Operating SystemMicrosoft CorporationMsftEdit.DLLMD5=0278F6675C79A2013494CDDDCFD6C7B3,SHA256=14F536EB288788586C90DE568BAB6C113D3F4CCD0EE732A17D438A23B225720A,IMPHASH=7C36F76BEB38B735155D539BEBF60532trueMicrosoft WindowsValid 734700x80000000000000007991138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.156{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007991137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.781{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\Windows.Web.Http.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.Web.Http DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Web.Http.dllMD5=6CF1C5602F6D078FDAE0721C747354CA,SHA256=6B39AE7C5C9FA1020AA4E128227818ADF2CB2C909DC6482EA58186FC4D417C0A,IMPHASH=7EF95DFEF602B5C35F7ED08E1983DBB8trueMicrosoft WindowsValid 734700x80000000000000007991136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.781{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\Windows.Cortana.ProxyStub.dll10.0.14393.0 (rs1_release.160715-1616)Windows.Cortana.ProxyStubMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Cortana.ProxyStub.dllMD5=7806FE9D293F066147ED111F7945D18A,SHA256=2C05FEC5EDDFE93E4DE67FA816B5D52273F78F71FCFA53C39CAE2B9B925CA25F,IMPHASH=18518A03148257ED1E3E823BF427D938trueMicrosoft WindowsValid 734700x80000000000000007991135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.796{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\Windows.Cortana.ProxyStub.dll10.0.14393.0 (rs1_release.160715-1616)Windows.Cortana.ProxyStubMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Cortana.ProxyStub.dllMD5=7806FE9D293F066147ED111F7945D18A,SHA256=2C05FEC5EDDFE93E4DE67FA816B5D52273F78F71FCFA53C39CAE2B9B925CA25F,IMPHASH=18518A03148257ED1E3E823BF427D938trueMicrosoft WindowsValid 734700x80000000000000007991134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.781{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\RTWorkQ.dll10.0.14393.479 (rs1_release.161110-2025)Realtime WorkQueue DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationRTWorkQ.dllMD5=1EABA23A7305A232C9A16C14806ED091,SHA256=3AD1A84A56EE0DA68B40D40770787FEED3DCF4A74BE172F01BD837FD680396E6,IMPHASH=41E263D9EB0100A59E34B18CF8F6F725trueMicrosoft WindowsValid 734700x80000000000000007991133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.765{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\mfplat.dll10.0.14393.4169 (rs1_release.210107-1130)Media Foundation Platform DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmfplat.dllMD5=6B3DD2386B60D0003B3A0A1AE706A9C5,SHA256=2DF94FA3C88D5D8AB5A981C0182263B5D8161CE0F96687D2DF7892EB4F25104C,IMPHASH=4B0B41F559164385A004BCC689586F63trueMicrosoft WindowsValid 734700x80000000000000007991132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.765{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\RTMediaFrame.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Runtime MediaFrame DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationRtMediaFrame.dllMD5=A92827E620672D2238EAA376BD1EB9A0,SHA256=7C8673E026AA89832C562924755CF2E7970DA6C9018EFD0B2660ED41D1DEDE24,IMPHASH=57E493411C866C558D3D63109BFA7A0FtrueMicrosoft WindowsValid 734700x80000000000000007991131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.765{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\Windows.Cortana.Desktop.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.Cortana.DesktopMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Cortana.Desktop.dllMD5=2FDAE481D76DA96BEAABC8BCBA9C5B3D,SHA256=B115855A43F18D9E6B84D878D645CBF001D2D57CC97A3D530FAAA50941DD2B82,IMPHASH=2B26CF11685673488CA03DF5356CE0FBtrueMicrosoft WindowsValid 734700x80000000000000007991130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.765{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\Windows.ApplicationModel.dll10.0.14393.4169 (rs1_release.210107-1130)Windows ApplicationModel API ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.ApplicationModel.dllMD5=15E3F11394A188B97CA9327D0FFBA26F,SHA256=CF7BEA849BF91E75174CDEF1BE8DBD7DB2F3BE3F5C2ECD6E1650F677519ED9AE,IMPHASH=75E17947EA5F1615946F8A33F101E206trueMicrosoft WindowsValid 734700x80000000000000007991129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.749{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll-----MD5=D07E3B6CA61C517AE47E59F9BC5A778E,SHA256=AF4107EEBCEACD5B05399D48D23CAFA207F7C01A94E80030C88733CAF31CFCF0,IMPHASH=A141DE86D7A91BDAF06E07FBB55010E6trueMicrosoft WindowsValid 734700x80000000000000007991128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.734{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\PersonaX.dll10.0.14393.4169 (rs1_release.210107-1130)PersonaXMicrosoft® Windows® Operating SystemMicrosoft CorporationPersonaX.dllMD5=C268AC3E91154FFBC6566E5D1E32BDBF,SHA256=19A99CC1CEC85BE8AC30C208C50D8219B68A56989366D5BCEFEE3F010470B9A1,IMPHASH=79392D7DE62127BA7F53E2B4104914A2trueMicrosoft WindowsValid 734700x80000000000000007991127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.702{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x80000000000000007991126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.702{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\winhttp.dll10.0.14393.4169 (rs1_release.210107-1130)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=24995B62FFC2519B34A2145673BD275F,SHA256=BB7D4DE1BE6111462F65F999A8969DA04113F15A80D534A93D3CCC76A9FE1F22,IMPHASH=F1FC6BF3699C289EBAF914A7771E49CDtrueMicrosoft WindowsValid 10341000x80000000000000007991125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.031{3BF36828-DD0D-60DD-1100-00000000C801}6401724C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.015{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007991123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.015{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007991122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.015{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007991121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.702{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x80000000000000007991120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.015{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007991119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.015{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007991118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.015{3BF36828-E8AC-60DD-0902-00000000C801}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007991117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:16.702{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\Speech_OneCore\Common\sapi_onecore.dll5.3.14393.4350 (rs1_release.210407-2154)Speech APIMicrosoft® Speech Recognizer 11.1Microsoft Corporationsapi.dllMD5=7D8E44318AF92B24D5157668430B93EC,SHA256=EA3EA600FCFABBBA7F9E5C31121C4FAD9A5975D2933E4BB7E069B6DF7E42FF23,IMPHASH=B5A681F6DC08EAAF433CF94160F385FFtrueMicrosoft WindowsValid 354300x800000000000000015899332Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:15.667{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51960-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal88kerberos 354300x800000000000000015899331Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:15.560{B81B27B7-881D-60DC-7400-00000000C701}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51959-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49666- 354300x800000000000000015899330Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:15.559{B81B27B7-881D-60DC-7400-00000000C701}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51958-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal135epmap 354300x800000000000000015899329Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:15.542{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51957-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899328Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:17.452{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97C7FDEF6E5EAA698A7F9F3E4119DAB4,SHA256=20AD19E3AE44631A3494BE63727DD354D575A22DCA48E4703C74D7D32E396ECF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007991316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.608{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98751960-false10.0.1.14win-dc-128.attackrange.local88kerberos 354300x80000000000000007991315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.503{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local389-false10.0.1.15WIN-HOST-98755558- 354300x80000000000000007991314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.502{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.15WIN-HOST-98755557- 354300x80000000000000007991313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.501{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98751959-false10.0.1.14win-dc-128.attackrange.local49666- 354300x80000000000000007991312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.499{3BF36828-DD0D-60DD-0D00-00000000C801}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15WIN-HOST-98751958-false10.0.1.14win-dc-128.attackrange.local135epmap 354300x80000000000000007991311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:15.467{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62219-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000007991310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:18.030{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\usermgrcli.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)UserMgr API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationusermgrcli.dllMD5=53088C541D573FB17068D8C7FE2C91EA,SHA256=20C4124FDB49FA02F9E90B15E9DBA8E0BBD5A82218038AA636FCFAEDEA1B54EA,IMPHASH=5124BA4251101F1719330C2018DBB582trueMicrosoft WindowsValid 734700x80000000000000007991309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:18.030{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\wpnapps.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Push Notification AppsMicrosoft® Windows® Operating SystemMicrosoft Corporationwpnapps.dllMD5=E181670F723760A2CDC71A36094D67FD,SHA256=50FEB4F08A50DDF9C9293A43BE1D336CBD4005A1A17F48E57F3E68E753C1CDEA,IMPHASH=44CF3E4898372C8005B22D9BAD960E9CtrueMicrosoft WindowsValid 734700x80000000000000007991308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:18.030{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x80000000000000007991307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:18.030{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\rmclient.dll10.0.14393.4169 (rs1_release.210107-1130)Resource Manager ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationrmclient.dllMD5=D3ABCEC776B1B1D7457A2E8E05F79EE3,SHA256=C368321C5BB811D937E8ABDD2BC3EB959BB8B65F49C104B5AD746129E4E5D169,IMPHASH=FE4203B37BF9B6CEA63D659FD081E423trueMicrosoft WindowsValid 10341000x80000000000000007991306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.999{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.999{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.999{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015899334Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:18.467{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E7517014D3AC86439320F85D17BC45,SHA256=166835FFDE1DB54478914FD75898A49CF4B87105C9DD7638D0C4A1D66BC6F882,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 22542200x800000000000000015899333Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:15.567{B81B27B7-880A-60DC-0B00-00000000C701}640_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ATTACKRANGE.LOCAL.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 23542300x80000000000000007991319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:19.937{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=509F4062370E24DD1458D0D2E9E6A480,SHA256=00318F16D0B003A03F672A1BE4610EE7EDB8EB1788552EB6B7666944CA13FC29,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007991318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.025{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62080- 354300x80000000000000007991317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.024{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local51856- 23542300x800000000000000015899335Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:19.498{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AA1F93F6C5969B3D66AB9B01BB67D2E,SHA256=812C8B7A69249B174346B21A47BA6D22C9FD342E36680C62CC412B74B93041E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007991378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.952{3BF36828-DD1D-60DD-3000-00000000C801}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007991377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.593{3BF36828-E8AA-60DD-FB01-00000000C801}22484256C:\Windows\System32\rdpclip.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a30ce|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.593{3BF36828-E8AA-60DD-FB01-00000000C801}22484256C:\Windows\System32\rdpclip.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+a3038|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.593{3BF36828-E8AA-60DD-FB01-00000000C801}22484256C:\Windows\System32\rdpclip.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007991374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.593{3BF36828-E8AA-60DD-FB01-00000000C801}22484256C:\Windows\System32\rdpclip.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+a301a|C:\Windows\System32\SHELL32.dll+d5032|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.484{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BAB,IMPHASH=AD7CEB919D43FA2BD394EC803EB6BCDAtrueMicrosoft WindowsValid 734700x80000000000000007991372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.484{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\SyncInfrastructure.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows Sync Infrastructure.Microsoft® Windows® Operating SystemMicrosoft Corporation-MD5=371ACA9F325DE626D0C2E8E8F4D1406A,SHA256=2FE0AE1DCCA65C7966942BE20675FB61BA929D4CB0D7DB20B1776F47DF9574A1,IMPHASH=362DF082EC37013707700F842B590046trueMicrosoft WindowsValid 10341000x80000000000000007991371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.484{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.484{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.484{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570,IMPHASH=2E790E44628AED89C2CC17E1E4A5CE1CtrueMicrosoft WindowsValid 734700x80000000000000007991368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.484{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x80000000000000007991367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.484{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x80000000000000007991366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.484{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x80000000000000007991365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.484{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6433F8201BFB449DC6B47F6999C2F164,SHA256=06729F1E0A0596620B48B6DC4A2CC9CC5FE55B17BD488C71F7F15AA4262C8C14,IMPHASH=50E2F760F0B39DC72CAD6892FEDF2F27trueMicrosoft WindowsValid 734700x80000000000000007991364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.484{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x80000000000000007991363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.468{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\cscui.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Client Side Caching UIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscui.dllMD5=1AFE7E2522633DF86B3160B378F1ABB9,SHA256=A1BFE3136924F3E5276F5C555F51770D9C50A321572DA4F677F2C0D8D5132A76,IMPHASH=7C4C5D26A164B555C68D5F02A417A150trueMicrosoft WindowsValid 734700x80000000000000007991362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.468{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007991361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.468{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007991360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.468{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8,IMPHASH=BC8DDE4D2412D48001350313FD2B7840trueMicrosoft WindowsValid 10341000x80000000000000007991359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.468{3BF36828-DD0D-60DD-0F00-00000000C801}3443548C:\Windows\system32\svchost.exe{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.468{3BF36828-DD0D-60DD-0F00-00000000C801}3441364C:\Windows\system32\svchost.exe{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.468{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x80000000000000007991356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.452{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x80000000000000007991355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.452{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 734700x80000000000000007991354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.452{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x80000000000000007991353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.452{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007991352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.452{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\SyncCenter.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft Sync CenterMicrosoft® Windows® Operating SystemMicrosoft CorporationSyncCenter.dllMD5=49F83E1B491CB58D7BC8830D7C62DBAA,SHA256=B358167D7F2F4CD7CCA9EA580214C30EE12F9BAD2D51241CF2BA7007A1A9A7A1,IMPHASH=A0FBA8A96731CFAF117D666096CB75B3trueMicrosoft WindowsValid 10341000x80000000000000007991351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.452{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.437{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\mobsync.exe10.0.14393.0 (rs1_release.160715-1616)Microsoft Sync CenterMicrosoft® Windows® Operating SystemMicrosoft Corporationmobsync.exeMD5=99C4EC4CA3E1A91B3F2D3969BB41E6D8,SHA256=65C2A4AD1E69454BAD5C2BE41828E0025749F132786F394F0D38679EA0C68931,IMPHASH=F3ECF73FA53E6EDF6957DDD2E0853888trueMicrosoft WindowsValid 734700x80000000000000007991349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.452{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x80000000000000007991348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.452{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007991347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.452{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x80000000000000007991346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.452{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007991345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.452{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x80000000000000007991344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.452{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x80000000000000007991343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.452{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x80000000000000007991342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.452{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x80000000000000007991341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.452{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 734700x80000000000000007991340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.452{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007991339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.452{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007991338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.452{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007991337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.437{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007991336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.437{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007991335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.437{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007991334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.437{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007991333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.437{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007991332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.437{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007991331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.437{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007991330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.437{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007991329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.437{3BF36828-E8A8-60DD-F501-00000000C801}25762064C:\Windows\system32\csrss.exe{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000007991328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.437{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007991327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.437{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007991326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.437{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007991325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.437{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007991324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.437{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8B0-60DD-0B02-00000000C801}4576C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007991323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.032{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9840:b51e:8f82:ffff-57420-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x80000000000000007991322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.032{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local57420-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x80000000000000007991321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.031{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-137netbios-nsfalse10.0.1.14win-dc-128.attackrange.local137netbios-ns 354300x80000000000000007991320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:17.031{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-128.attackrange.local137netbios-nsfalse10.0.1.255-137netbios-ns 23542300x800000000000000015899336Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:20.514{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B26EDBFED2FA9AFB2A4C8280D1C222,SHA256=871A306BBB63A7AEDCD8C7079DD1CC8D9F83C4577373EB49C043639A75E0A4F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899337Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:21.545{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4E696611A2A3F02350A95397AFF4726,SHA256=8157EA4338154814807C411853C3C0EAADD2BABDB4DB15146DB7AEB73DA3481F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007991439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.656{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007991438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.656{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007991437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.656{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007991436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007991435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.515{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 734700x80000000000000007991434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007991433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007991432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007991431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007991430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007991429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007991428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007991427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007991426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007991425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007991424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007991423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007991422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007991421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007991420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007991419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007991418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007991417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007991416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007991415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007991414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007991413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007991412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007991411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007991410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007991409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007991408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007991407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007991406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007991405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007991404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007991403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007991402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007991401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007991400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007991399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007991398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007991397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007991396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.530{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x80000000000000007991395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.515{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.515{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007991393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.515{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007991392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.515{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007991391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.515{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.515{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.515{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.515{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.515{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007991386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.515{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007991385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.407{3BF36828-E8B2-60DD-0C02-00000000C801}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007991384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.452{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007991383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.452{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007991382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.452{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007991381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:22.452{3BF36828-DD0C-60DD-0C00-00000000C801}8643644C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 22542200x80000000000000007991380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:19.456{3BF36828-DD0D-60DD-1200-00000000C801}396tsclient9003-C:\Windows\System32\svchost.exe 354300x80000000000000007991379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:20.139{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62220-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015899338Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:22.561{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4E3DD03A737F29FD49F6031F89D46E0,SHA256=001C6E2FEC8A34000BA889AFEAA16714966A5B0444CD91545844FD63C4A2DEC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007991444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:23.952{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\drvstore.dll10.0.14393.2791 (rs1_release.190205-1511)Driver Store APIMicrosoft® Windows® Operating SystemMicrosoft CorporationDRVSTORE.DLLMD5=D0DE1D69FC3F00F65F8D67C31BCC9682,SHA256=F27CEB248FCB3444B850896CB916DACC10BC730E7C2679D2A6C2582CC667F8AD,IMPHASH=AC3F232984E3ABCCF80F1B2A1ACA9991trueMicrosoft WindowsValid 734700x80000000000000007991443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:23.968{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007991442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:23.952{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000007991441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:23.952{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007991440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:23.952{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\devinv.dll10.0.19645.1032 (WinBuild.160101.0800)Device Inventory LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinv.dllMD5=8BFD253467CDB3F41ED2A23FE08B361D,SHA256=5A938F1A6D0FF39BE7B5BD88F46988F4CDAA78134E9E22AC02C46EC688819D17,IMPHASH=94EEFF72CC677C4C4124B0B3A85F7825trueMicrosoft WindowsValid 23542300x800000000000000015899339Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:23.592{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B84A3F5704B857057C03253F04B5FF6B,SHA256=A16A378A756430765F18ECD4AB40CCC7EB0F86232ABE5F2B0D1DCF2E8B1034B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007991548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.968{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007991547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.968{3BF36828-E8B4-60DD-0E02-00000000C801}36643288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.968{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007991545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.968{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007991544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.827{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 734700x80000000000000007991543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.843{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007991542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.843{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007991541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.843{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007991540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.843{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007991539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.843{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007991538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.843{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007991537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.843{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007991536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.843{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007991535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.843{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007991534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.843{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007991533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.843{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007991532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.843{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007991531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.843{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007991530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.843{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007991529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.843{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007991528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.843{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007991527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.843{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007991526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.843{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007991525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.843{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007991524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.843{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007991523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.843{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007991522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.843{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007991521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.843{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007991520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.843{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007991519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.843{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007991518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.843{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007991517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.843{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007991516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.843{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007991515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.843{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007991514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.843{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007991513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.827{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007991512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.827{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007991511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.827{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007991510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.827{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007991509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.827{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007991508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.827{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007991507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.827{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.827{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007991505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.827{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007991504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.827{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007991503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.827{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.827{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.827{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.827{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.827{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007991498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.827{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007991497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.720{3BF36828-E8B4-60DD-0E02-00000000C801}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007991496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:21.264{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62221-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000007991495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.218{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007991494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.218{3BF36828-E8B3-60DD-0D02-00000000C801}10842816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.218{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007991492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.218{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007991491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 734700x80000000000000007991490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.093{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007991489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.093{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007991488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.093{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007991487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.093{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007991486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.093{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007991485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.093{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007991484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.093{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007991483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.093{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007991482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007991481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007991480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007991479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007991478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007991477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007991476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007991475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007991474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007991473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007991472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007991471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007991470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007991469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007991468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007991467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007991466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007991465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007991464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007991463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007991462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007991461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007991460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007991459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007991458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007991457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007991456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007991455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007991453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007991452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007991451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007991446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:24.077{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007991445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:23.954{3BF36828-E8B3-60DD-0D02-00000000C801}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000015899341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:21.370{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51961-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:24.592{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8FB35982308B95030BE16681969826F,SHA256=AA7C676174D6B106000F32E05CB2579CC59D2BE506D8960C6E6B79E6E8AD8A7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007991599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.655{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007991598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.655{3BF36828-E8B5-60DD-0F02-00000000C801}11842148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.655{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007991596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.640{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007991595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.530{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007991594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.530{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007991593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.530{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007991592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.530{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007991591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.530{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007991590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.530{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007991589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.530{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007991588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.530{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007991587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007991586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007991585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007991584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007991583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007991582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007991581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007991580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007991579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007991578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007991577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007991576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007991575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007991574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007991573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007991572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007991571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007991570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007991569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007991568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007991567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007991566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007991565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007991564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007991563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007991562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007991561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007991560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007991558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007991557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007991556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007991555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007991550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.515{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007991549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:25.517{3BF36828-E8B5-60DD-0F02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:25.608{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D734185649DFC09B98C2F488CAE6BCC,SHA256=ABA776D260E1C82AF1DDB27B40E9B7CE6CA05B3D9F9119237531354EC9FAD377,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007991658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.562{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007991657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.562{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007991656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.562{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007991655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.421{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000007991654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.406{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 734700x80000000000000007991653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.437{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007991652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.437{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007991651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.437{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007991650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.437{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007991649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.437{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007991648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.437{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007991647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.437{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007991646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.421{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007991645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.421{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007991644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.421{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007991643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.421{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007991642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.421{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007991641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.421{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007991640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.421{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007991639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.421{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007991638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.421{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007991637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.421{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007991636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.421{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007991635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.421{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007991634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.421{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007991633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.421{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007991632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.421{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007991631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.421{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007991630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.421{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007991629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.421{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007991628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.421{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007991627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.421{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007991626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.421{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007991625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.421{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007991624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.421{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007991623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.421{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007991622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.421{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007991621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.421{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007991620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.421{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007991619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.421{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007991618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.406{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.406{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007991616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.406{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007991615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.406{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007991614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.406{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.406{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.406{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.406{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.406{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007991609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.406{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007991608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.297{3BF36828-E8B6-60DD-1002-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007991607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.062{3BF36828-DD1D-60DD-2B00-00000000C801}12803712C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000007991606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.062{3BF36828-DD1D-60DD-2B00-00000000C801}12803712C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 734700x80000000000000007991605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.030{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4350_none_aecb7b4dddd42c62\GdiPlus.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=22905195515813858B52CE4DC79B3FB9,SHA256=CC74B32225A286C5BE81CE792FF7AF86F6AB434519A4A47B7A1CC364D8DF18D9,IMPHASH=BC747D18CC28DFF374DB67CDCF580B6BtrueMicrosoft WindowsValid 10341000x80000000000000007991604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.062{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.062{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.062{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.062{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.015{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\gameux.dll10.0.14393.4350 (rs1_release.210407-2154)Games ExplorerMicrosoft® Windows® Operating SystemMicrosoft Corporationgameux.dllMD5=814785C0EFFB7E588CF49823BC391DA1,SHA256=102BC46595CCC9ECB7394EF79FC86A6A98FA7EF614A9CEFF72A168422305EE81,IMPHASH=030F71B886FCE9AD89517FCFCF973AA0trueMicrosoft WindowsValid 23542300x800000000000000015899343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:26.639{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBF8CF8E936082785DDCB8D993D5C38E,SHA256=643E98CC87419910913D05BDD934E123A823CD521E4224FA5834B1641E270801,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007991659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:27.656{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\Windows.ApplicationModel.dll10.0.14393.4169 (rs1_release.210107-1130)Windows ApplicationModel API ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.ApplicationModel.dllMD5=15E3F11394A188B97CA9327D0FFBA26F,SHA256=CF7BEA849BF91E75174CDEF1BE8DBD7DB2F3BE3F5C2ECD6E1650F677519ED9AE,IMPHASH=75E17947EA5F1615946F8A33F101E206trueMicrosoft WindowsValid 23542300x800000000000000015899344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:27.639{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D9DE9DCEF9FD42F11FA67D902F5FABF,SHA256=2D7240FA994E4712ADF313757AF14DF929F53D5B2C740684B96F227FA1F94BF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007991660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:26.295{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62222-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000015899347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:26.433{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51962-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:28.655{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69D1DFFFECAF5F99E0BC34418E1B75E0,SHA256=2B48CBD43A5DB7BBD41F06BB01155EE083D0A50779633B12A785809054D88F0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:28.483{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:27.777{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51963-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015899348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:29.686{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F71856AD25171B519CFCE29E13020C1,SHA256=3FB20234A6F3B43093D74B50AF925517B57525495F2F6AFFD2529106DCD0010A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:30.686{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=984FAF21114EF139C9D510E581E751BA,SHA256=F8A389E476BA24B7A52F31CEF4A403BA2437BC94EA6171BA48FF26C8BA894B4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007991661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:31.875{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D3141B6DBB93962B752580801C56FC,SHA256=D388FD2F9B340F5A897A967A9646F95BFE13AB85C96E6E3AB5E83FF9D4278CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:31.686{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E4F9CB2CDEDAFFF37F54BDA32B96989,SHA256=BD8585F4CC474B4DF304D7E29D1E5C1CE78DA288080E0092EBAD4FD5A8E04B22,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007991671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:32.343{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007991670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:32.343{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007991669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:32.343{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007991668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:32.343{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007991667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:32.343{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007991666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:32.343{3BF36828-E8AA-60DD-FD01-00000000C801}32803668C:\Windows\system32\sihost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:32.343{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007991664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:32.343{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007991663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:32.343{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007991662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:32.343{3BF36828-E8AA-60DD-FD01-00000000C801}32803668C:\Windows\system32\sihost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+49142|C:\Windows\System32\modernexecserver.dll+14a47|C:\Windows\SYSTEM32\ntdll.dll+3a940|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015899352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:32.702{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=705C97A6E539D03A1F16F25531B842F8,SHA256=3722E6606411579282024481116309368CA2DAFC7FC6F0EE087184891D9570C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007991684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:31.327{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62223-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000007991683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:33.250{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007991682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:33.250{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007991681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:33.250{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007991680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:33.250{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007991679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:33.250{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007991678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:33.250{3BF36828-E8AA-60DD-FD01-00000000C801}32803668C:\Windows\system32\sihost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:33.187{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007991676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:33.187{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007991675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:33.187{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007991674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:33.187{3BF36828-DD1D-60DD-2B00-00000000C801}12803712C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000007991673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:33.187{3BF36828-DD1D-60DD-2B00-00000000C801}12803712C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x80000000000000007991672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:33.187{3BF36828-E8AA-60DD-FD01-00000000C801}32803668C:\Windows\system32\sihost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+49142|C:\Windows\System32\modernexecserver.dll+14a47|C:\Windows\SYSTEM32\ntdll.dll+3a940|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015899353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:33.702{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C6CF0865B74116630D09F72AF96C18,SHA256=EEC07A2EC93F384500505317FC9BC87628376BB86308A31E80832562F5F1F917,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:34.733{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92426F176DDB3C0CEE9B26EDDB4CBC63,SHA256=269879C0A125FA193C8B4B2AFB49C87DFC0CDAFBE7C54D77E2FB35EF7A01BC79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:31.527{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51964-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007991687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:35.781{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93CB207307792A98B325FAD02DE4453E,SHA256=46E06BABEB04259FA9446A8528924DF04467B2BC89F40C840112795AC060D6A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007991686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:35.781{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70DBFD14417C6D8BA54C98D0AB22E863,SHA256=24A3959DCD3C4731C94C0914A7450FF79D640F1673831CAF4B9153E8210E5783,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007991685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:35.046{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47126608E2003B85D1A463567F8D0A3D,SHA256=AE8EAA5ABAC3FC8DADA0A432AFDC339207D9B59A0F248E9D9C86C5D68E22DCE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:35.811{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E441700C12B0545C70EC659C7685EBF5,SHA256=2B727C6E87443238603554B10AD9F82AF7D50CC99D7DA8BAC7FFC8E48C013AC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007991688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:36.562{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26B4CE8BF352CD1A2D147A8EC89AEDDD,SHA256=F9C6A171BFF19C32A0B9EE92266785CC91EE443EC2F4B9E75ABFCE32F1094B20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:36.842{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45319DD3857DC3055EA891F1C709E12B,SHA256=2CBAF56F8FFA52FD1840A8707F67DB779AD8E13AFA2855CB6556976A1E87FA29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:37.874{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6977E0C2BF35B7A68FDDBCEB8953665,SHA256=E6320883421EEF3FD9DDCEAF2D6904408E384B7ADC29884708751A1DA29103CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007991690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:38.125{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B597C8DDD66C04890289C2434DAFBEE,SHA256=3BDD124A96EC492F5A6A2581B6BA1AF6B97B386D5AD9B3E60B3C00825F042B7B,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007991689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:38.031{3BF36828-E8AA-60DD-0402-00000000C801}2060C:\Windows\System32\userinit.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 23542300x800000000000000015899359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:38.889{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E145C651F565A285519A0DF34D60F465,SHA256=8EA9F3C97649DEB99E12476059CCFF82699C5EF295937EA58E2F752E46745113,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007991692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:37.389{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62224-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007991691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:39.531{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5CA86096208D90FDBF4B49F8DE50E91,SHA256=E9A507F85462C890DD28BE39BD41B0A5E7CF9834170D41065834B23E07634141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:39.905{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59996AC1683211D6955DF0D793585E65,SHA256=2477DA56628039DE46EFC47DF301936A1AA90B5BA1675EB51789D9963DA48876,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:37.418{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51965-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007991694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:40.890{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE7FBAA32871671C1D52CA8E0208A47F,SHA256=439A752AA1ECCDAAC0F8800BBDF4C6E22FA0236250E0C84AEA4BF8A7CFC8C927,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007991693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:40.687{3BF36828-DD0B-60DD-0B00-00000000C801}6522840C:\Windows\system32\lsass.exe{3BF36828-DCF0-60DD-0100-00000000C801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000015899362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:40.936{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A1ABAD241A478199B8F1317444FB7D0,SHA256=83FB0BEB59E95BDA967CB799FD5438F26D5D49E1C4D485B47E3DABEA2233FCCB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:41.952{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08B138747FA78DCCB00FDF26B58B7E82,SHA256=33278ED7B7C3B58FD4FC0F9117CF6EE8A076A6F806DC4DB22EE8E3E214F17AE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007991700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:39.890{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62225-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x80000000000000007991699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:39.890{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62225-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 23542300x80000000000000007991698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:42.390{3BF36828-DD0D-60DD-1200-00000000C801}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FCD66F6FD621F0721BA8B9347927B360,SHA256=48C490FF00D73890B0F3F0138B846B3BFA14E3DB117B7BD315F69DDAC11E5EFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007991697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:42.265{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CE34029BF89A1BBEB12B458EA2279C,SHA256=ECC5352E3EEBDF763938F2FAF0299665217B840251446BF9CF605A85ACB8C769,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007991696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:42.187{3BF36828-DD0D-60DD-0F00-00000000C801}3441516C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:42.187{3BF36828-DD0D-60DD-0F00-00000000C801}3441516C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.155{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.155{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.155{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.155{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.155{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.155{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.155{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.155{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.155{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.155{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899381Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.155{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899380Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.155{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899379Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.155{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899378Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.155{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899377Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.155{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899376Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.155{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899375Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.155{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899374Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.155{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899373Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.155{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.155{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.155{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.155{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.155{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.155{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.155{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.155{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.155{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.155{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007991701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:43.640{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6588809F55AB87EE29C0EFA752274F42,SHA256=9C92189F1529BD553B06037DA0EFE1C4B23733C2988582FE1DDF51BDCF6FF3DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015899419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:43.514{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E8C7-60DD-3A2A-00000000C701}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:43.514{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:43.514{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:43.514{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899415Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:43.514{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899414Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:43.514{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899413Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:43.514{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899412Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:43.514{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899411Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:43.514{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899410Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:43.514{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899409Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:43.514{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E8C7-60DD-3A2A-00000000C701}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899408Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:43.514{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E8C7-60DD-3A2A-00000000C701}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899407Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:43.515{B81B27B7-E8C7-60DD-3A2A-00000000C701}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000015899406Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:43.155{B81B27B7-E8C6-60DD-392A-00000000C701}20085580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015899405Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:43.014{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=507980A67DB6528B3379B37E21DDE520,SHA256=00436D6E053C14EC24D280FF6DEAEF2071AA3AA8B3CA58608659A0AA6AA35B50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015899404Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.999{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E8C6-60DD-392A-00000000C701}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899403Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.999{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899402Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.999{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899401Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.999{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899400Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.999{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899399Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.999{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899398Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.999{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899397Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.999{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899396Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.999{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899395Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.999{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.999{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E8C6-60DD-392A-00000000C701}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.999{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E8C6-60DD-392A-00000000C701}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.999{B81B27B7-E8C6-60DD-392A-00000000C701}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000015899436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:42.527{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51966-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000015899435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:44.155{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E8C8-60DD-3B2A-00000000C701}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:44.155{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:44.155{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:44.155{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:44.155{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:44.155{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:44.155{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:44.155{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:44.155{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:44.155{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:44.155{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E8C8-60DD-3B2A-00000000C701}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:44.155{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E8C8-60DD-3B2A-00000000C701}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:44.157{B81B27B7-E8C8-60DD-3B2A-00000000C701}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:44.155{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A1822847C76B497D25174F8522C5A5,SHA256=B56F81E5E9E3A54000C08C122BABEFBDC2B82191247F87DBF06C03A067FFBB57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:44.030{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=846F35AE20C6A4E6FA1AF9B97318EACC,SHA256=93BFC97604661D87477607CB2D7897BC80C37362D4AC5E6BFA8F8AAA46D9C338,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:44.030{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37F8705774DD0556245DB6E6FF6B5F4E,SHA256=2ADA503EBC032D43CBBB2CA0B79BD22FDBAF7D5A0F50721E1594C1702B79FC54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007991703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:43.248{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62226-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007991702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:45.671{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F3AF216DC701020F2AF249823D56930,SHA256=5BC67ED730669D238FB54B12D2C075DA3EAC38AAEE3DA1441077B069BF54D74F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:45.202{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=846F35AE20C6A4E6FA1AF9B97318EACC,SHA256=93BFC97604661D87477607CB2D7897BC80C37362D4AC5E6BFA8F8AAA46D9C338,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:45.170{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=006FE4CE91BDDA02341FDEE2AD1693CF,SHA256=97FC73D6F0F1FF17E40B7A7A6765DAD24144505817B0E6B98BB1C2E1FD35302F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:46.187{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E1E951A82E81B01B64266EB807E6D29,SHA256=E9AF04C76806A1D62FB6BFEBE1ADB3BC36CD378F4D3B5F4355665CA9119715B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007991705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:47.250{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15D7C9A2DC37E0B81271D2653B045579,SHA256=7CDF4E66C9F529769015193DD94B89401A8A14CE9DB8392955C1ADFD07C3399C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007991704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:47.250{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5FD5960BFE13A01F0786B1E2F45F3C3,SHA256=DD1B007CBF8C119B73757F7204EBF627871EAA81AC6D69A400A599570C67E276,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015899454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:47.566{B81B27B7-E8CB-60DD-3C2A-00000000C701}2704656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:47.410{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E8CB-60DD-3C2A-00000000C701}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:47.410{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:47.410{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:47.410{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:47.410{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:47.410{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:47.410{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:47.410{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:47.410{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:47.410{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:47.410{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E8CB-60DD-3C2A-00000000C701}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:47.410{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E8CB-60DD-3C2A-00000000C701}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:47.410{B81B27B7-E8CB-60DD-3C2A-00000000C701}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:47.234{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=354DCE899D2B718FF229A2E8DDB81434,SHA256=3358F55BDF72570E459503BDE367F6C22D00A17360DD8E0E3F76C63DF2527E07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007991706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:48.631{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01230D00B06E573D99853E4A35E14E69,SHA256=A5EC79C544DED9E3038BBA33FADC749246C4B20FB2FE02937B75C616567C45A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015899484Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:48.847{B81B27B7-E8CC-60DD-3E2A-00000000C701}1000912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:48.706{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E8CC-60DD-3E2A-00000000C701}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:48.706{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:48.706{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:48.706{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:48.706{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899478Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:48.706{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899477Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:48.706{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899476Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:48.706{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899475Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:48.706{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899474Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:48.706{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899473Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:48.706{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E8CC-60DD-3E2A-00000000C701}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899472Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:48.706{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E8CC-60DD-3E2A-00000000C701}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899471Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:48.709{B81B27B7-E8CC-60DD-3E2A-00000000C701}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899470Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:48.706{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B898134802CD9DB23E074BB431CD1AE9,SHA256=DD8F62BEDC0E448096351AEA597D1A05340C2F713B9198E1A36E79EBF5377716,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899469Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:48.706{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15D3DB22EA33D8C6ACEC388F5EDBB4B1,SHA256=FBBBCFCE4A3DBF9E513E93E3D36BFEAB5E939CF9F7A853FD35615F710DFAFBCB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015899468Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:48.222{B81B27B7-E8CC-60DD-3D2A-00000000C701}8445752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:48.082{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E8CC-60DD-3D2A-00000000C701}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:48.082{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:48.082{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:48.082{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:48.082{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:48.082{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:48.082{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:48.082{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:48.082{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:48.082{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:48.082{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E8CC-60DD-3D2A-00000000C701}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:48.082{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E8CC-60DD-3D2A-00000000C701}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:48.082{B81B27B7-E8CC-60DD-3D2A-00000000C701}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899499Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:49.847{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC8145DF942C369894B4E932E03FD2AB,SHA256=6332EBDE7B142B8BB0390F1FA56B304C477C54B6E76126CEE5387DBAD5E01FAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899498Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:49.847{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E6061CB9010319E35299629F69F9AA1,SHA256=19AEF3755948B89310F4632B862C6DE7C8608875B66B48F880063801E55A2190,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015899497Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:49.378{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E8CD-60DD-3F2A-00000000C701}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899496Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:49.378{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899495Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:49.378{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899494Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:49.378{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899493Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:49.378{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899492Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:49.378{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899491Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:49.378{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899490Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:49.378{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899489Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:49.378{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899488Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:49.378{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899487Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:49.378{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E8CD-60DD-3F2A-00000000C701}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899486Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:49.378{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E8CD-60DD-3F2A-00000000C701}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899485Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:49.379{B81B27B7-E8CD-60DD-3F2A-00000000C701}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007991707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:50.006{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47D79FB40ADC9E3FAC586D1099020326,SHA256=AAB1241543A59B538A5434E75B28F78B76C9596AAB4ED8C62137997B31531CB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899501Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:50.863{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F75EC51C461DBB1736B2B3AA26CBF0B2,SHA256=779B4E454903ACEE46C3E2B8B65F69CA54B981E6A20C67AEC3E6057A182709CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899500Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:48.516{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51967-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007991709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:51.365{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=974AA8C645FB591D77089C3541201AD7,SHA256=F72E4070EB93B61FD6B46A9736E60700FD492259559FC7B10386BEBC0B9BD389,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007991708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:48.314{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62227-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899502Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:51.878{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7044D262D6D07B8E514F5CE1BE6C45A5,SHA256=0B9E7DE2CE8E0A7A2B7B9A1748539C179E1889E8B127850D4389F0C3ECAF6D0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007991710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:52.740{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=001279C4079556E62D2C30DCEC88C48A,SHA256=EDC6198D795ADD10336AA592101405D1C4CCBAE27865D24EF96B2FC13DE3C95A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899503Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:52.925{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D357EB4D48D313818946B67121BCAE9,SHA256=CE1378EB1731E6ADEB479C6F0A08ECC4D4FF4E89C4DF2EF31226584CF9E33E56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899504Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:53.972{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12DD88F52BB1BF07567C51CD0B22A054,SHA256=3C8D00282BA10496142E377AE962216A3655D7FD56D4BB93473E5E219FD3AC53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007991711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:54.100{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A6B730EF99330FA32FFBE3255CE215,SHA256=06CFEA13D932E794452C8CCEF10F9A451A353017CB4378B0BC65162B6037014C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899505Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:54.988{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0E0AE99CB394CA54F4A414DD1939626,SHA256=8D077A2886FF505BAE2EB7286037B64CDC30B50650170E63F10640E716DE7B2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007991713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:55.459{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=407BC2572A1EE2D4E3146040F1FA3B9C,SHA256=0D942C9E2FBDCA5C54615A6FE4BBCD78DE9016F36F9650BFBB1B9EB142082A65,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007991712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:53.333{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62228-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000015899507Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:53.532{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51968-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899506Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:55.363{B81B27B7-880A-60DC-1000-00000000C701}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=638073338F521078F172A54645E64A0B,SHA256=C527DBBC8D0E9A50E0D2AB665938B1D0503558B932852A0941185C6EA0666897,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007991715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:56.834{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7395292C1983BE276B49B81B10F85388,SHA256=E17536C411EF7B184707A165E76562E7FAC8A5287CD20502A6985029506E0790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007991714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:56.147{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C9B4DB0CDADCE44ED83185891FE167F,SHA256=2051206532953C8BE1AE927A787AC728B152FCC9E65FCF08474AEE02A6BA5FDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899508Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:56.001{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E371A4C029E301E83C32AF511CAA538,SHA256=9E488CC620AD5B480C78E77E901CF778C6CD88E133FBFD4E9AE81492B6C092F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899509Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:57.003{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9106A95E51C62DB4B1951FE73D39A551,SHA256=70EF2FA92C54CBD9F07D54C016B96D4B41C84CCE75043B278F8F4BE31FAD0E4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007991716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:58.194{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=864A5A8D5CF5DC3FE4957218A0356070,SHA256=6935238F783B89A901B5A0A0DF7F5CB57327B227FAC01838BC92198EAAF3D26B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899510Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:58.019{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E94D8393B348C0236D36507FB76C0679,SHA256=6EFB9BC3C9B636CB8AAC647DBCE2396D555AB3228BCDC5302D6D89E161570F0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007991717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:59.569{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C2FC800F8591E7FE3183D5DDAEC9931,SHA256=D90247252E811B5768C2FD36C033140438278B04C823E6ECE91820FA178E4E06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899511Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:59.035{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB156EB883AC0488808DFC777733AE8B,SHA256=163FD3AFC116C7664AA15527F5A1D3A5590F04104F0D72978A3F358C6637967C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007991719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:00.929{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A73335D63B205877006EB4BB3BF2F56D,SHA256=7FA135CAC715EAEAE3CD431C161D8E18C9BE0A6877C7B7620A9E199790EDE364,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007991718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:09:58.411{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62229-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899512Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:00.050{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265962127A28D42C01100D5E65F2CFB6,SHA256=E3E188F170F1CDC9E973F87AEFF9EAFCD6714960CA60AC1691910782DAAB6567,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899514Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:09:59.360{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51969-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899513Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:01.097{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D76D623F334AABD3C70AEADF8D62076C,SHA256=53B0A14DAA2D73763A8769BA0E09AE0A28C19A9779C658940BCC3F47F1067E4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007991720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:02.288{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBF02B9458101BE33E0556752328440,SHA256=27EC7F73CF2FB1477A1DC1F044B6784BE58307D82D0B44EB813D0EAACBB6DDDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899515Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:02.097{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=827475C070B9D5AA921C00B7C6D75DFD,SHA256=B37C80F22F4D54058EF79B937A319EB6B45C507C4FEC87E592D6BE7A52F2A95D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007991721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:03.648{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCD0769BD8568EBBD5372FF996215B17,SHA256=D0F89C6ADD0BC0585E497016BA4FF38FD2DD5091DEA3F362894FD34442CCD1CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899516Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:03.113{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63958AFB87DF528422947B9CC40F647D,SHA256=35A6BBCAF3781F1310CA876551BFD538BE03A2E781B48DA1D74EB4B54F11BFC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899517Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:04.160{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90FC2F3B75C0E8BD27B9DC3B1D01C9F3,SHA256=567DC403A857420A87826BB058C22A3C82CEE7C00F9B248C6B1C78310DC1B6F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007991723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:05.023{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58499412F55662C358D27512BAB829D4,SHA256=54D79F265D26B10E11A10080287B8FD81665888CA4F676A0B785CA9ADAFFC192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007991722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:05.023{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF106F302601E2CC8C51DD1140F3C1E0,SHA256=71EE8A02119BD547A102C747374515A02E449F7EA1F2D0BD40F3B73AB1138251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899518Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:05.191{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFEC07B557F54821756D2CA515484AD2,SHA256=F0B39800D6CD63A12C05D1CE25F4F8D5D302E83983499F383A2F76835ADD61E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007991725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:04.287{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62230-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007991724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:06.382{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFA2E75EA847F01AC275DC49CD04AFBE,SHA256=195F519A27EA1C693FF058ABC9665367C5371B548B001C6065B3BCFC796AD310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899519Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:06.222{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6AC4EDB2AF466AB9B2D4318D99F1D09,SHA256=9E477D41ED7FDE5124E2268780052B0909BD0BA303BA71933FAF5EE38473F3E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007991726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:07.753{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=015759E1E8F45B2AA52105974C320736,SHA256=1957C4ADFD572F79E3E79C87F1342AFCFEF09D93B7F1BFD86FC4332154FD3CA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015899521Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:05.391{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51970-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899520Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:07.238{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7A8B56D22D64B8482D269D286F7DDE3,SHA256=FC72151D18D27C453DF49E693DEB0926001FD59994502BC4E67F9B7C5144B2DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899522Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:08.301{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DABAC1B143AA72453EE6B1166E77181E,SHA256=E239DA6F60AE09AA51B47069FB6210134A55BA2EE9AA1E4683F4546CC50474EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007991727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:09.113{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C0D4074FA7789A5C71607D0867D54C0,SHA256=C7CD4F6AEB4BDC50697A67EEA275C3541F5E8B2EFB79D779876C49E8438208F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899523Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:09.332{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C858B33EF369EE37B96D210AB6EAEF9,SHA256=F7805E5CC377837CE778A061263FEB48EA3B99D54D8BB25554709D7799E990A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007991728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:10.488{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1538A06071FAAF66397928BF158B1C60,SHA256=21FEF1EF352D1099E5CA908F1F1A9932FBF13FC1336D7F331008020DB2011507,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899524Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:10.363{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A468B5C3314F7B0105B67B1A39C98D,SHA256=05845E874F47069CAE8966D0285108A7B95D012DFCD48E0F0883F6FD82DC2142,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007991729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:11.847{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA45355BEDB5A41BA512BF4185E6A670,SHA256=394EB8391A50F7B0223F269E34837644AEA599A2BEF99998132B49F024A2015C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899525Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:11.379{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B373F252443077BB009B64ABD6169986,SHA256=7C406FEFD82952BF180F6BD0886F48C463B2119FAC3D5B959FCEF2E53F3E1384,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007991732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:10.767{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62232-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007991731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:10.767{3BF36828-DD1D-60DD-2F00-00000000C801}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62232-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007991730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:09.345{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62231-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899526Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:12.394{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=717231910E048589B02086A0E27BD9BC,SHA256=15C2E982DFA813F5570A483659CB5D567FF79EF934D1C9660F2297A9EFFB9E78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007991734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:13.894{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE704E56936D7D32D3C075C29FB7EAC1,SHA256=ADFDA30152532F95E81C8E5BC38E3C402E2FC0E016030D77131C2FF685DF4A1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007991733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:13.206{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B734051328F681EB7C281366B61A510B,SHA256=9C850043B25734E97F34BBEFB4CB71BD02B981044815E25E5A548278F734C330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899528Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:13.410{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=674C19FCE05BE55EADEB3243809852C8,SHA256=C349690934CB01C46BEC3DC8DD8B6A7FD490FED526804EBB24C1FE009431A61C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899527Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:10.485{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51971-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000007991739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:14.847{3BF36828-E8AA-60DD-FC01-00000000C801}3488872C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61acc|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000007991738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:14.847{3BF36828-E8AA-60DD-FC01-00000000C801}3488872C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61acc|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007991737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:14.831{3BF36828-E8AA-60DD-FC01-00000000C801}34883928C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61acc|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000007991736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:14.831{3BF36828-E8AA-60DD-FC01-00000000C801}34883928C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61acc|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x80000000000000007991735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:14.566{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9453EF4BB2F65E1CD8AC3AC8B137730,SHA256=EC518074BC51FDAEECA6523B7405B8E1E048B5BDEF600F4A71A1020CE3B0B1AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899529Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:14.441{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8BA1D7BBF543F3033FEB6CC98FE7415,SHA256=A9600C35F5CA88B1E1C5406B5A9741253497DE903BD55F3A20B302B916B46F59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007991791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.909{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946,IMPHASH=2DCB08A6E31A83C3EA33C5793EFA9A56trueMicrosoft WindowsValid 734700x80000000000000007991790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.894{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088,IMPHASH=76F056ED62EDF4D48793D8C5EDA733ADtrueMicrosoft WindowsValid 734700x80000000000000007991789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.894{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6,IMPHASH=6FE75EB0A263DD16629B09AECE416B36trueMicrosoft WindowsValid 734700x80000000000000007991788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.878{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09F,IMPHASH=53B42A8A1BAA47FEA7A7B38E440D0DDFtrueMicrosoft WindowsValid 734700x80000000000000007991787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.847{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873C,IMPHASH=6E3C4DB87F2B77C788E86C1A678A8D0DtrueMicrosoft WindowsValid 734700x80000000000000007991786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.847{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FA,IMPHASH=6DF3E31673D2CCEDABFBE5A79390B72DtrueMicrosoft WindowsValid 734700x80000000000000007991785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.847{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95,IMPHASH=2D7046CEF5DEEA9D960D37CB0A98F146trueMicrosoft WindowsValid 734700x80000000000000007991784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.847{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.2515 (rs1_release_1.180830-1044)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0A509BFB5A32121F89325D493794CA83,SHA256=CB89991C328399A0AD5A18C38DD69FA77922A7977D9F4E7193C59AC03AF614B2,IMPHASH=469D7F45D04D223BB34959079C2591D6trueMicrosoft WindowsValid 734700x80000000000000007991783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.831{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489,IMPHASH=689E2A5805AE9CF0919D2DDDDDC411CCtrueMicrosoft WindowsValid 734700x80000000000000007991782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.831{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=28587FD4AC481D64955FC6593EE1E8FA,SHA256=F2F395FEDC16A7C9AEED4D3B290392B38FB2180518335B21ED4BA0B710449905,IMPHASH=A7A8E1C7D8A348EDDDA81702A2FEC068trueMicrosoft WindowsValid 734700x80000000000000007991781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.769{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97,IMPHASH=07C997EFB887CE39B75B7896A20F5FFBtrueMicrosoft WindowsValid 734700x80000000000000007991780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.769{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=01109EDBB3D2075AB5EC69DEE00F8008,SHA256=9688D1703D19751E6C96EBDBCABDBC6FFDA89197F9050125AE905B0C8591B726,IMPHASH=16E2C81454E1F9301D6F8A9B1F5DB754trueMicrosoft WindowsValid 734700x80000000000000007991779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.550{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670,IMPHASH=1FCD5DF5B3D97346B0A828B1CFDB1ED1trueMicrosoft WindowsValid 734700x80000000000000007991778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.534{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3,IMPHASH=EA6E499F92F9040E9609EFDC47BE01FEtrueMicrosoft WindowsValid 734700x80000000000000007991777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.534{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=CDD32AC585A458B6B2BC777FACF83BA4,SHA256=6A6D1362633319BA3E2D389A70827D0B5802C5EA9DD5CA723AEA6DBF65713426,IMPHASH=E698C8E2E06172CDB524686FF10A5C5EtrueMicrosoft WindowsValid 10341000x80000000000000007991776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.550{3BF36828-DD0D-60DD-0F00-00000000C801}3442016C:\Windows\system32\svchost.exe{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.550{3BF36828-DD0D-60DD-0F00-00000000C801}3441364C:\Windows\system32\svchost.exe{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.519{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDF,IMPHASH=25AFDCBDCE8BEB6A7109D378495BE552trueMicrosoft WindowsValid 734700x80000000000000007991773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.519{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62A,IMPHASH=5D2578ED274AAD83C30A3917C98404EEtrueMicrosoft WindowsValid 734700x80000000000000007991772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.519{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8C,IMPHASH=5D92B73B6930EFBC71A36B7FEF62DF62trueMicrosoft WindowsValid 734700x80000000000000007991771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.503{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0B,IMPHASH=B5CBF1B1B5086E2C500FD84325E04D44trueMicrosoft WindowsValid 734700x80000000000000007991770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.503{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69,IMPHASH=9F60CD6001B5CEA647B250DFF3B6F65AtrueMicrosoft WindowsValid 734700x80000000000000007991769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.488{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450B,IMPHASH=C3B61C1F5D46A607D624033E7094E4FFtrueMicrosoft WindowsValid 734700x80000000000000007991768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.488{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=7B019DFD62509B244C4A11809F595C07,SHA256=2E879BBDC7C215041617FC599FCBA8C474F99E27B8333EA4DCA4854FE738F22D,IMPHASH=918DADABE6E41CFBB03F954A46D3F72EtrueMicrosoft WindowsValid 734700x80000000000000007991767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.488{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891,IMPHASH=C7D6B46400E43E7BE538D1CCB512EC25trueMicrosoft WindowsValid 10341000x80000000000000007991766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.503{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.503{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9,IMPHASH=CAC6B3339C5CAA083E24A4484EE86E29trueMicrosoft WindowsValid 734700x80000000000000007991764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.488{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6,IMPHASH=AC11100B3FFA7FCAFA188E618E4C7CC1trueMicrosoft WindowsValid 734700x80000000000000007991763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.488{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BE003247800053860D5C85D2BCEB0744,SHA256=D687D105741BDEB1BCEE18F3692AE688C52E85F1BBA745315FA2FB7F953DCE55,IMPHASH=EED74FF36259DAC3FFC7675209FEED89trueMicrosoft WindowsValid 734700x80000000000000007991762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.488{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=46729D62C2C59533BF7F18EC62EA1066,SHA256=F890DA6B91DCCEF82188724339EB4469B27AA19183938F4269C8DE3FEA6C12F0,IMPHASH=7E0E904C0FD68DBF5F794D700C0C3C3DtrueMicrosoft WindowsValid 734700x80000000000000007991761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.456{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007E,IMPHASH=6E1D0A92C1917EFBFC1EEA82FA5E155FtrueMicrosoft WindowsValid 734700x80000000000000007991760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.472{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87,IMPHASH=44F906D172B935DEA0C5D038C6FA8449trueMicrosoft WindowsValid 734700x80000000000000007991759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.441{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82,IMPHASH=15CD876FB3F6EC97A2F7466360415F86trueMicrosoft WindowsValid 734700x80000000000000007991758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.441{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4E,IMPHASH=EAF4CC449835E7A81A8EEFEBEB2E8FC7trueMicrosoft WindowsValid 734700x80000000000000007991757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.441{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4E,IMPHASH=EAF4CC449835E7A81A8EEFEBEB2E8FC7trueMicrosoft WindowsValid 10341000x80000000000000007991756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.456{3BF36828-E8A8-60DD-F501-00000000C801}25762064C:\Windows\system32\csrss.exe{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000007991755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.441{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0,IMPHASH=3045357B61B63AEF6CBCD96F2FA7E9D8trueMicrosoft WindowsValid 734700x80000000000000007991754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.425{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5D,IMPHASH=03B9E38A9E88FDC66380837CCC8647FAtrueMicrosoft WindowsValid 734700x80000000000000007991753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.441{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007991752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.441{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007991751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.425{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=57015A39A73789DC7171F4F6B211AC32,SHA256=3ED6D5A7095A141DCF234926EE0274FDA627C2829607DCE0F7604B7C683067E9,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007991750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.441{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007991749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.409{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=6046950FC9CA5B7A7E084C189658DACB,SHA256=5137C324038AB2E8EAB4F98A20BEE9F121346D62E4D907CA1E4A860F4C54EAE8,IMPHASH=EC90A0D780E0DD23BA7910ABD6BF7E32trueMicrosoft WindowsValid 10341000x80000000000000007991748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.425{3BF36828-DD0D-60DD-1400-00000000C801}10481416C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.409{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007991746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.409{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.409{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.409{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.409{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.409{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007991741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.409{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007991740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.421{3BF36828-E8E7-60DD-1102-00000000C801}1944C:\Windows\SysWOW64\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}C:\Windows\system32\ATTACKRANGE\Administrator{3BF36828-E8A9-60DD-F846-180000000000}0x1846f82HighMD5=6046950FC9CA5B7A7E084C189658DACB,SHA256=5137C324038AB2E8EAB4F98A20BEE9F121346D62E4D907CA1E4A860F4C54EAE8,IMPHASH=EC90A0D780E0DD23BA7910ABD6BF7E32{3BF36828-DD0C-60DD-0C00-00000000C801}864C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x800000000000000015899530Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:15.472{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E73CCD41D6E8B89FF1FB148FEE1701,SHA256=D86CA9468A99F07B64469AD66E547B19F06677BAED42507504C40B2344007917,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007991793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.972{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\dui70.dll10.0.14393.4169 (rs1_release.210107-1130)Windows DirectUI EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationDUI70.DLLMD5=C3DC010AC7F5880CC7BE626566FC4130,SHA256=3ED6E9D0AF769B0BFBE94DFF4CC07A94A81271133FBB60C9EB02676C92FFB87E,IMPHASH=E76D3161885DD9D13E8514AFC7BF3853trueMicrosoft WindowsValid 734700x80000000000000007991792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.956{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\DeviceCenter.dll10.0.14393.4169 (rs1_release.210107-1130)Device CenterMicrosoft® Windows® Operating SystemMicrosoft Corporationdevicecenter.dllMD5=F45FF2C8CA258D91F27E2043768F4950,SHA256=D2CAC755B817374345DD3115E98B70337C1943D4C19F7626BB1E8322AC5B3B04,IMPHASH=3D2EE665749DF083DFFC718E1566C781trueMicrosoft WindowsValid 23542300x800000000000000015899531Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:16.519{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35429C9BE840FB36F3962E96EEDF0E54,SHA256=12DDEA4817F72922AC9FAFD1A53264F758D550FD3AD12BDC7B9EA4CB0277AAE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007991845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.800{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007991844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.800{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007991843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.800{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007991842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.675{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007991841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.675{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007991840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.675{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007991839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.675{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007991838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.675{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007991837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.675{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007991836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.675{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007991835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.675{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007991834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.675{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007991833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.675{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007991832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.675{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007991831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.659{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007991830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.659{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007991829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.659{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007991828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.659{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007991827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.659{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007991826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.659{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007991825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.659{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007991824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.644{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007991823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.644{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007991822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.644{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007991821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.644{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007991820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.644{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007991819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.628{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007991818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.644{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007991817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.644{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007991816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.628{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007991815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.628{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007991814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.628{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007991813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.628{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007991812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.628{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007991811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.628{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007991810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.628{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007991809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.628{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007991808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.628{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000007991807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.628{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007991806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.628{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.628{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007991804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.613{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007991803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.613{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 23542300x80000000000000007991802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.597{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF225AE2EE04EFE77D7B798FD5963A7C,SHA256=AB4FF1E739E3B21F6C99A47411799950F29FA0E29D4EAC80F053B878A3818FF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007991801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.597{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.597{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x80000000000000007991799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.597{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.597{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.597{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.597{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007991795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.597{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007991794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:17.598{3BF36828-E8E9-60DD-1202-00000000C801}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899532Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:17.535{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=357F4B30CBC9F0FEA2247772F11D4027,SHA256=EDCB1A5175220E5B6E88C17DF5DC2B777FDA2EDE433F2AA061B3439FBDACEC74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007991898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.925{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=521CC4086AE089A37A7A6535A246C638,SHA256=C650D4228F945D3371D44AC336A8EBF3F1A66A3E4A8CE265B267D4BC3B593BBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007991897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.316{3BF36828-E8EA-60DD-1302-00000000C801}22283288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.316{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007991895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.316{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007991894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.191{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007991893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.191{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007991892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.191{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007991891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.191{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007991890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.191{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007991889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.191{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007991888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.191{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007991887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.191{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007991886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.191{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007991885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.191{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007991884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.191{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007991883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.191{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007991882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.191{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007991881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.191{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007991880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.191{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007991879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.191{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007991878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.191{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007991877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.191{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007991876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.191{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007991875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.191{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007991874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.191{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007991873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.191{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007991872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.191{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007991871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.175{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007991870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.175{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007991869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.175{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007991868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.175{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007991867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.175{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007991866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.175{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007991865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.175{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007991864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.175{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007991863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.175{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007991862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.175{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 23542300x80000000000000007991861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.175{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F54D2DEB5961CE7D9A9307DF771404B2,SHA256=79F8867F74878C7A8A067827D0048DF775A6CADA770A6871788508663E25D896,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007991860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.175{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007991859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.175{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007991858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.175{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007991857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.175{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.175{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007991855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.175{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007991854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.175{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007991853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.175{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x80000000000000007991852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.175{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.175{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.175{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.175{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.175{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007991847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.175{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007991846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.177{3BF36828-E8EA-60DD-1302-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899533Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:18.629{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C4E284B43F9125D41C3370F9E60D0B6,SHA256=004A29556A604C08E98642CEADC6E419483EACE7DC850F07A621AC3C73B16E78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007991903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:19.628{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B2ED038C542E4A13D6A2E93830D817C,SHA256=086A4A5744157E634530007A8A23324DBD46C5BB27EF001A7D60738701EFD71F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007991902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:15.251{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62233-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 13241300x80000000000000007991901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:10:19.003{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\D370F6FF-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_D370F6FF-0000-0000-0000-100000000000.XML 13241300x80000000000000007991900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:10:19.003{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CA735696-6C26-4910-BF98-1B50C97DCBCC\Config SourceDWORD (0x00000001) 13241300x80000000000000007991899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:10:19.003{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CA735696-6C26-4910-BF98-1B50C97DCBCC\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_CA735696-6C26-4910-BF98-1B50C97DCBCC.XML 23542300x800000000000000015899535Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:19.644{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E3195026274B1DDFB0A469DC763CC4C,SHA256=E5C317438F54AE8B53BBF22AAF1BDB4196EC3EF25F43B5876E5506A0B06201A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899534Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:16.501{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51972-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007991905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:20.972{3BF36828-DD1D-60DD-3000-00000000C801}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007991904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:20.363{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBFC450EE0FDAEFBEF463F46927F0C35,SHA256=944AB72367F7487042AA1333C32DDB0A935CAC55395E82BD3F39E6695911AEBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899536Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:20.660{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B209746DF245BC3640C1C8D201548C0,SHA256=BE3D6C9A3123DBBBE9636A0CCF6DE614019DC61F57091BF7E075AF9EB1C032BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007991912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:21.816{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6103E558D99F8F2D0E01CDEF46DC9B1,SHA256=5B3E611F9A68CE4CB5FBB414DA1F015630B517816E08BF753A684DBA8290BD98,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007991911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.223{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62236-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000007991910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.223{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62236-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000007991909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.217{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62235-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000007991908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.217{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62235-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000007991907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.206{3BF36828-DD0D-60DD-0D00-00000000C801}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62234-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 354300x80000000000000007991906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:18.206{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62234-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 23542300x800000000000000015899537Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:21.660{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0F288FC99AD7AD172766968A8DAE18C,SHA256=CE545BA6071BFB1BF069D8B81B4175F8AE38B5AB4839CF683CB5E9C2367F43EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007991968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.691{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007991967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.675{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007991966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.675{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007991965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.566{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007991964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.566{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007991963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.566{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007991962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.566{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007991961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.566{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007991960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.566{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007991959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.566{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007991958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.566{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007991957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007991956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007991955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007991954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007991953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007991952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007991951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007991950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007991949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007991948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007991947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007991946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007991945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007991944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007991943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007991942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007991941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007991940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007991939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007991938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007991937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007991936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007991935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007991934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007991933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007991932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007991931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007991930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007991929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007991928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007991927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007991926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x80000000000000007991925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007991923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007991922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007991921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x80000000000000007991920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007991915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.550{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007991914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.552{3BF36828-E8EE-60DD-1402-00000000C801}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007991913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:20.157{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62237-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015899538Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:22.676{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4BB694C95B605C64E57EAF0D068993A,SHA256=AD0AE654137072F7FA49E021C69C9334B9CE036C087427946965E38D79F898CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007992019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.941{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007992018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.941{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007992017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.941{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007992016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.941{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007992015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.941{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007992014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.941{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007992013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.941{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007992012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007992011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007992010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007992009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007992008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007992007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007992006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007992005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007992004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007992003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007992002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007992001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007992000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007991999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007991998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007991997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007991996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007991995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007991994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007991993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007991992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007991991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007991990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007991989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007991988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007991987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007991986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007991985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007991984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007991983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007991982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007991981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007991980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007991979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x80000000000000007991978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007991974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007991973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.925{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007991972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.926{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007991971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.347{3BF36828-DD0B-60DD-0B00-00000000C801}6522840C:\Windows\system32\lsass.exe{3BF36828-DCF0-60DD-0100-00000000C801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000007991970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:23.238{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EC458AF68EDF69753BAA9805812834F,SHA256=E40251F2270DCC1AC1598FE434CDDFE35DF0E7B527D3E1639FFF740811E4646A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007991969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:20.407{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62238-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899539Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:23.691{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6FFEB2C96C0BE66904126FD14FF1DEC,SHA256=C274938715350D8AD8757FE8203D6633D842E2312BDC6CAC4676C821115AFCB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007992075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.769{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007992074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.753{3BF36828-E8F0-60DD-1602-00000000C801}36885048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007992073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.753{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007992072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.753{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007992071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.644{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007992070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.644{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007992069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.644{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007992068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.644{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007992067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.644{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007992066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.644{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007992065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.644{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007992064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x80000000000000007992063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE95BB01C16206F77BF8EBF1FB680927,SHA256=C712F911CD97B620798EEB84CB7D879075B988E82B7F6D56F01649CBCFC12756,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007992062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007992061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007992060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007992059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007992058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007992057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007992056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007992055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007992054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007992053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007992052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007992051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007992050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007992049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007992048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007992047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007992046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007992045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007992044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007992043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007992042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007992041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007992040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007992039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007992038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007992037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007992036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007992035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007992034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007992033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007992032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007992031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007992030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007992026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.628{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007992024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.630{3BF36828-E8F0-60DD-1602-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007992023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.066{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007992022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.066{3BF36828-E8EF-60DD-1502-00000000C801}4768876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007992021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.066{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007992020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:24.050{3BF36828-E8EF-60DD-1502-00000000C801}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000015899541Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:24.707{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EDD581F6CCDC6E0305354BCEBBA03AE,SHA256=1FE51D08E203E4F8200890217E8E2F88AA61C4DB90445AE735F0CCD2C4AAA544,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899540Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:22.345{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51973-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000007992132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.441{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007992131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.441{3BF36828-E8F1-60DD-1702-00000000C801}4576704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007992130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.441{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007992129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.441{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007992128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.316{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007992127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.316{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007992126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.316{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007992125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.316{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007992124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.316{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007992123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.316{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007992122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.316{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007992121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.316{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007992120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007992119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007992118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007992117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007992116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007992115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007992114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007992113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007992112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007992111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007992110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007992109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007992108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007992107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007992106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007992105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007992104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007992103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007992102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007992101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007992100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007992099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007992098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007992097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007992096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007992095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007992094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007992093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007992092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007992091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007992090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007992089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007992088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007992083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.300{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007992082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:25.303{3BF36828-E8F1-60DD-1702-00000000C801}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007992081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.551{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62241-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x80000000000000007992080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.551{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62241-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x80000000000000007992079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.448{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-128.attackrange.local62240-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x80000000000000007992078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.448{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62240-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x80000000000000007992077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.441{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62239-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000007992076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:22.441{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62239-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 23542300x800000000000000015899542Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:25.722{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=370F4F91A832433E2F3F097BBCBB11FB,SHA256=04BF43A6E7FCAB94299A5DB17920AE9C38A1771A3200A78F858B0109D895C584,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.722{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=204B123563CBB1697156804A7B753610,SHA256=B28DAFF3BC96FF86A195F43903636CFD3018B4912989143D8D89B9F677CB57EA,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007992184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.191{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007992183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.191{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007992182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.191{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007992181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.066{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007992180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.066{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007992179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.066{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007992178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.066{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007992177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.066{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007992176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.066{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007992175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.066{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x80000000000000007992174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFB98AAA918EAAFCF3C15E53CF563E06,SHA256=C245BA9C7BCA550199C3A7B34B2125A6A1CA0A31B404DC050F6C2F89A3831403,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007992173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007992172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007992171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007992170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007992169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007992168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007992167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000007992166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007992165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007992164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007992163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007992162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007992161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007992160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007992159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007992158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007992157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007992156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007992155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007992154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007992153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007992152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007992151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007992150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007992149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007992148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007992147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007992146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007992145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007992144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007992143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007992142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007992141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007992140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007992139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x80000000000000007992138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007992134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.050{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007992133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.052{3BF36828-E8F2-60DD-1802-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899543Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:26.738{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB8CD85ABF036772315292F409842DD7,SHA256=C7F495AC8D64E025CFABEE5862A16547D8AC1F11648DF54AB7543805E0E2C08C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:27.473{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54B33B6E3BDF3BDEF7BC28C9792A8D5B,SHA256=5F3776234D332C5907D91A1ACC319ED2D30ADA25E0ED6D2E2D9E8E85FA3FC380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007992186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:27.473{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=961CF7AAFF3284EFEE709B916C89A84A,SHA256=082B2A60DD1814A1317D0AF3C3E9C5325514361878797949EE912AC403C86283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899544Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:27.753{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF7FAE0F4BBC2AF5A4EC9F5EFC2C8ADE,SHA256=FA520A77A766E25A92D2977F2D8DD328AC3412FCDCEB8C3B55E57852533A2A88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:28.911{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A46E5CDF5F37F1444A5A420094364A61,SHA256=2AA0F5A4AFCF85C4F8C1940A4CD95A6BE13F24262D83B88EFDD3BBA5FE71D3B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899546Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:28.753{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919C139C8B9FFF16B8F292985B2622C5,SHA256=6757D83B4EC133E0D626294E18DF9D1D45FBFF6B0FB66DBAB5D587BB800246BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899545Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:28.503{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007992189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:26.251{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62242-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899548Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:29.769{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FEBA893EA3E03BF5A8CE4BE89BFC572,SHA256=AFDBF41255470C7875948BECBE3ADF2796EF4BDD64B248FC467F0DDCA5A90F2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899547Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:27.422{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51974-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007992190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:30.379{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6E48910A6E773BB3FD0ED82A56DAF62,SHA256=03DB3C6B245D6FB8C6A710E2B15141BAFF511B1620C9AB5DEB64160772F3BDBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899550Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:30.785{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0AD5EDD57971571CD839EEAF8D0EAB9,SHA256=0EDEAE8D4A62269F3ADB0D7FA7C60B22ED307D6E500DC5B35205827E8A2B5B06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899549Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:27.797{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51975-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000007992191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:31.754{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8360B6F947ECCDCDCFC79B712C31865,SHA256=8261BC250ECD226740E09703102D8981144CFCDC2FCF2D25C8E4E00B16DD6BF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899551Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:31.800{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DBB2E4FF61E295A093A11DEAB6A6F73,SHA256=21F98D1BF95E30B8CFA730A6B9F227F9A826448B2D0894A97AFB6C6E5B14A8FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899552Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:32.847{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4249116AA1C710A939FCFCB7E6016C34,SHA256=26388D4B4509AF2EF96EF0C49246078F9203307081222C8617BFFD477D2EE6BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:33.114{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C277FF43B067D1D8863D63D6C54AD289,SHA256=A3138EA7CB0D08A0EC79CFC13E94F98FF53E8721175CCF44530BCD11D17BF5F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899553Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:33.847{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9209BCD866033CC3B390772D217D4DDB,SHA256=13FAF09044310546604F8FC70A27B30E1CD21DE5711364C1F6F73111416A9F3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:34.489{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B4FDE26E585BF8928FA59DBB6E2D89A,SHA256=C1F5CC94E556CC58B794D4B1E0DBE289E4FE889AAD0922B93BF4B1638D3FD6D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007992193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:31.393{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62243-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899554Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:34.910{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE17F32A69FAB6C0EBF06638D0629751,SHA256=2D98246C83AED18C62EC18E546BC59C9E5F9D162961A02AA9D7042AAE79FA4A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:35.848{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D320EA36B403C61E7C71A67C1298B856,SHA256=A4BB296C2D28FC0EC9B68611A72ED1BA75C27B475F43202FBEBD7650B2D69CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:35.925{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C415DD4CDAFC9C6023081CE315B84F9,SHA256=ECBCE9A64D61A931B29FF89A92F33551197B926590821C0DECB2E5E671DFCC2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:32.438{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51976-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007992196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:36.536{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EFAD8D1EE547F3BD59BB8138BB4CBF5,SHA256=87A9BD26E8F951BAD496A55CE2AE25495A383BCFE50EE2ACD529083930ECC6C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:36.941{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A27FB9174609C0256283D1FF241DEB,SHA256=79186813F65F8CFAEEB909148DE8FDC96FBE5983CB6AFB3E9693F3B22FBEC8A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:37.223{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C7A9B8C1D98CCB68AA6DF3D9B865BED,SHA256=F69922427FE55FFD409027A5B29CB398FAD60D5A20797E774BCB9A915E74D609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:37.956{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16F9DE4F04C965A588F5C27988CBEE78,SHA256=EAD0D0DEF86530A9A645155C10EED06254D8135E1EC6307407E4CED6486EB2CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:38.583{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78FB1BCEA364F28BCDE10B2DCA9D76D,SHA256=27B34E283A947387AF2062B4471C740634370322519F49A6511EE4F9BAE657C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:38.972{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2BBA0613A8070D33C58401DEF27D23,SHA256=AF622B0C9015F0AA818E7181D24670253AEF8493FB7BF6CCEC3A25C770DE8B36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:39.957{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50AAFB8973F9B7A7AE1A19293BD14B51,SHA256=751C9EFD4D2600D5902C0C7788D04FC55138452A15AC2D524ADE07505EA10334,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007992199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:37.299{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62244-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:39.972{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48E85873649248CC179C019066B43252,SHA256=0191C3EA2506A2E4C82573EE8351678D5497D315A3D526D47F74CA3ED5B8A69E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:37.453{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51977-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007992201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:40.645{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D521E607EFB04A94E121992D22A62EA,SHA256=5F409E8FBC6E4872ECE1D831F09B37CD22B0A215ABEACE2C36CDC35DBAF3F8C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:41.003{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=490B09EDC7B7DA060194F912AA300A46,SHA256=3270333D1383FAED6DBE464E5F40C8E5A8E362E8381D07D100245E032ECD941F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:42.395{3BF36828-DD0D-60DD-1200-00000000C801}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D9EB7EC40234895B846119A67D53456F,SHA256=4A24476A9FDF5524FB913BDB96597D13C8927031EA4EB659090E1769D17E8ACA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007992202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:42.020{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28CBF6E72FBE851F60847D9802606678,SHA256=C45B332DD5B05CF6FDDAF2F12B741A6EFF71F1EBA06E2284378FE1B72173A1CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:42.019{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B80466234F42EE2EBDD43E0DD5CD56A8,SHA256=1D92389A5E8D0EDD6FD5645C6C7F565C5140F0857DBC12B74AA3DA9A6FA7D65C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:43.395{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2CEDA77CA3078BBAABC3807B040BABE,SHA256=094870CA871641F7141D9C3FB508452BF169010F7B8345A729A6ACBD9F923B89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015899590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:43.675{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E903-60DD-412A-00000000C701}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:43.675{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:43.675{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:43.675{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:43.675{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:43.675{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:43.675{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:43.675{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:43.675{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:43.675{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:43.675{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E903-60DD-412A-00000000C701}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:43.675{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E903-60DD-412A-00000000C701}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:43.676{B81B27B7-E903-60DD-412A-00000000C701}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:43.034{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAB5806A30BDF81BF400D595CDF52306,SHA256=B3DFF53E2C98D590E31F8CEEB7DD1E5EEBB4E2BA197ADA765F076114952FF066,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015899576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:43.003{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E903-60DD-402A-00000000C701}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:43.003{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:43.003{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:43.003{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:43.003{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:43.003{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:43.003{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:43.003{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:43.003{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:43.003{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:43.003{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E903-60DD-402A-00000000C701}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:43.003{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E903-60DD-402A-00000000C701}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:43.004{B81B27B7-E903-60DD-402A-00000000C701}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007992206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:44.754{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1840BA8467252DC8206DBDE96B0D01D,SHA256=EC6D3B2C40EA5F767A17397F822F76E7022438E285833BBDA0F839F00B5E3097,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007992205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:42.377{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62245-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000015899608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:42.531{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51978-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000015899607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:44.488{B81B27B7-E904-60DD-422A-00000000C701}1700932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:44.347{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E904-60DD-422A-00000000C701}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:44.347{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:44.347{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:44.347{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:44.347{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:44.347{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:44.347{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:44.347{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:44.347{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:44.347{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:44.347{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E904-60DD-422A-00000000C701}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:44.347{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E904-60DD-422A-00000000C701}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:44.348{B81B27B7-E904-60DD-422A-00000000C701}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:44.066{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70ADC942B4FA987D647D978BC5BDF253,SHA256=2ED25E913D131D4913D70E94666FC1A76C2C42796DE7ABA2CFE01D69086CAB00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:44.066{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB02878BAF8682F4CB3EBBEC618AAD6A,SHA256=CE05938648F9606D3D35C8EDC4AABE87BAD72FABD4D189CB44DDFD52510E5656,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:44.066{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0CAA39D300298CB0BC6657DF9245BEA,SHA256=6E0974723FA06BDAEBEF239F7C2C257A4866F81C686D4C54E06639AA7E75F41E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899610Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:45.347{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB02878BAF8682F4CB3EBBEC618AAD6A,SHA256=CE05938648F9606D3D35C8EDC4AABE87BAD72FABD4D189CB44DDFD52510E5656,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:45.081{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD533F0038ECC919208135FCEFEBBC6E,SHA256=0FC39654C1302C7F5E7BA84F69A5722EC195A957014CDF9DF45D9BCD0DFFE642,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:46.442{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4D5C36ABF188A152589C9195191A544,SHA256=BE990024E594301D969FC603E6616CE927B4B952B40553310E7692EC9022E481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007992207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:46.442{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CA8F08CF1A0E3ECE72910135A58076B,SHA256=39EB688D4566497203052D361FB58FD26368CCD448FBBD85E031EE8E7B4AF6E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899611Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:46.097{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E12110F05FEA83105FE0894ECC1648CC,SHA256=93D31EF79913AB2227C3520BBF99967A04DB2BE00812F8F4E18ACE32FB09CAE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015899626Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:47.555{B81B27B7-E907-60DD-432A-00000000C701}3840748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899625Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:47.414{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E907-60DD-432A-00000000C701}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899624Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:47.414{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899623Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:47.414{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899622Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:47.414{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899621Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:47.414{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899620Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:47.414{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899619Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:47.414{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899618Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:47.414{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899617Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:47.414{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899616Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:47.414{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899615Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:47.414{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E907-60DD-432A-00000000C701}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899614Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:47.414{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E907-60DD-432A-00000000C701}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899613Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:47.415{B81B27B7-E907-60DD-432A-00000000C701}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899612Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:47.113{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A107091C5ED9E484BDC820A38A6E9C7E,SHA256=CF83621B1D275817FD454AB5E7BA995935831F6DAB2BCB2DF6F978FE9EFA8622,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:48.478{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5E394100EF73FD676FF940868AE9BD3,SHA256=368CE0C57FF94B0788EE5A901FBAB12204634D6584FA970F27CED48C02B37805,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015899655Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:48.758{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E908-60DD-452A-00000000C701}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899654Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:48.758{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899653Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:48.758{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899652Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:48.758{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899651Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:48.758{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899650Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:48.758{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899649Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:48.758{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899648Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:48.758{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899647Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:48.758{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899646Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:48.758{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899645Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:48.758{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E908-60DD-452A-00000000C701}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899644Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:48.758{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E908-60DD-452A-00000000C701}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899643Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:48.759{B81B27B7-E908-60DD-452A-00000000C701}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899642Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:48.430{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E7746598EDD3349A9D08CEC0E991A8D,SHA256=9E0EEF5C6DEF7F75A270F07555AB7A09666CED7DD32B829A4849738CD7A3A098,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015899641Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:48.242{B81B27B7-E908-60DD-442A-00000000C701}45805224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015899640Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:48.242{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD046B3BEBE6AB1460DF13D44DF540CF,SHA256=54A45CE7BC88F6DCB0D1A361CAFFA01B03D588D7A473D19ABF12A9AC2EC25ED4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015899639Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:48.086{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E908-60DD-442A-00000000C701}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899638Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:48.086{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899637Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:48.086{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899636Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:48.086{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899635Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:48.086{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899634Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:48.086{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899633Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:48.086{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899632Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:48.086{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899631Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:48.086{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899630Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:48.086{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899629Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:48.086{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E908-60DD-442A-00000000C701}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899628Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:48.086{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E908-60DD-442A-00000000C701}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899627Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:48.087{B81B27B7-E908-60DD-442A-00000000C701}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007992210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:49.494{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FBB4A4B13BF176F6DC6A8EEAA2F4CD5,SHA256=781B5AAA89BE8B878AEE7325EEC474F35C7B5BE11ECFEF6E2B5669D7C35FE6E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899672Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:49.774{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70CCF93B47E6A13559389ABE583694C2,SHA256=1A99CF06E286C91BAF01E2F0D692CEE396497ABB926E91C39D343D21E225BD4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899671Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:47.552{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51979-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000015899670Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:49.586{B81B27B7-E909-60DD-462A-00000000C701}41483732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899669Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:49.430{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E909-60DD-462A-00000000C701}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899668Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:49.430{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899667Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:49.430{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899666Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:49.430{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899665Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:49.430{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899664Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:49.430{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899663Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:49.430{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899662Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:49.430{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899661Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:49.430{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899660Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:49.430{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899659Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:49.430{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E909-60DD-462A-00000000C701}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899658Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:49.430{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E909-60DD-462A-00000000C701}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899657Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:49.431{B81B27B7-E909-60DD-462A-00000000C701}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899656Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:49.274{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48AD519EB5BB98558A111D282F2EBB7D,SHA256=4A19E83061C4B027488A132267E7F716A01BA8F0CA27AB70DAB6DCABCB14C45D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007992212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:48.257{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62246-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007992211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:50.543{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2473B66C8ECB1F700120483A25D208F5,SHA256=CC527EC423D082A92F453E084E2F9491B86B7063BBD0E84C994DE0D5F1911267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899673Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:50.289{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5ED659FF34DA328BBE6001C458164AD,SHA256=FEF452B82A8458CCCC156818E15829F824B0341992120D747E371EDC0D255886,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:51.906{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC1E1017E460A90A25B6B99A331B626C,SHA256=480CB9FD73F108DCFEEDEFE772B550237EABC98F8C6EDAB07365BD167A59B0BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899674Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:51.289{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B987EB4408F7578C2317E3FD9BE83092,SHA256=4E0123A8126B01A233A2939F2B33F8C08228B322C97759C9C17C41541638BB98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899675Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:52.289{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46B0528A3E684E09EFCE8BCA4E31D579,SHA256=68FEBA8A43D7E8DB40B8A3AB07646D004305358915321185EAA6AEBFB9F425D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:53.265{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5895F0133D58E3BFC60A2FDEF0E7A8B,SHA256=239C3F3077CCB81F13ABB1FA2906D23445EDC5617491B71609517A67C52C9ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899676Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:53.305{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23657E5C7D0B31776D65581803FB4AF,SHA256=956ACD1F4589D0B775D93EF1A75113E2F2CFD97F9ED8E6092C3A73EDCBA8A5CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:54.640{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=032120BDDC9BB089D1E41630B6C5EF03,SHA256=E98FC839AF89C6B1C6F6C85A7D594DFC43E7C18DE686EA09FAEF2C10452FA8B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899677Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:54.320{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=964FB6D86AB173464748EFDEFDDFE47F,SHA256=879D23C0CFDEB8DE21CDA9A31C54B94E0E6817B21105F1C4657094195FC2DAEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007992216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:53.262{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62247-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000015899680Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:53.396{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51980-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899679Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:55.383{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80400C13469271FDE9293AA532485141,SHA256=BE50D77BA25B420539C3F2F5132C41C1F0E7587C0D0E3B0966DA6F22BB36427B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899678Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:55.367{B81B27B7-880A-60DC-1000-00000000C701}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DED3E3BE7219024F408420940370F408,SHA256=E584E8897145403847E5DCC9D94B968416E2D9536EF79784E00EA7DFA82C44F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:56.687{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8233C6F492CFC0E5BF3CBC215127AB8F,SHA256=C13E3371F26DB3CDC493E00F42E0D9871325187BCED4916F1C27E1CA972DF05B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007992217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:55.999{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3C40D8C9C270238741CCB82A2B9071B,SHA256=266A6E8D50987A5E46379D889647BF31562DF3973163CB6F585044D4ADAE65F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899681Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:56.386{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE705742DDB4A3F9394B7C6E53C4F8A8,SHA256=AE4BF9B87D2D99035BBE7159443D0459D6745A70F60A0FA5C1093FD1E351F031,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:57.359{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=323DC1B0DCCCC6A8AD01F98892CA3942,SHA256=CDC79DB17F725755A0050CE9896A2461F862E2D39ACE3CD248B6519075F27175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899682Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:57.414{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E214B555F78ECF30E92E8A0D417B0249,SHA256=994B20003776A7DAC35ADFCFDE69ABF916EAEC6665BAC3BB3459A51C5C907B29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:58.734{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7C355CDAF628707CC52AA89DABF444,SHA256=C8B43C5493143FB74729B8169F24F8F01CB5E4D6C14038C82C45C38C9D58C325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899683Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:58.417{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CE22E20F2518919F90EE6433132BC38,SHA256=A5F88C516C38F7960DA75D1DD798C66285F0107D7F87D11C6FC0096A2D5F149B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899684Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:59.480{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2997667AEA6CD2E75E5B775499C015D,SHA256=B0D01FCA68099E5E5374C83BAB02C71A811A90E40EB369F8F713A0DC8EC705FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:00.093{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B33DC24D6A71DC4220FE0AE922C3BFB8,SHA256=532DE7652CFA308897284899683DED7370178C4E6D8DF47884831BCBDBA90AE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899685Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:00.511{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B99F8B0AB4AC435C0303F2374D095FF,SHA256=C68381C606255B3D2F6EF46558A46CEA0B21FE8307F95CB3B2229415883C9A18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:01.468{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF28D06558426FB35BDD217E3C7F83CB,SHA256=62DF9EDEEB263ADE4F01C62BA5621F1AC5648136BDDD201860EE1058A804CA18,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007992222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:10:58.418{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62248-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899687Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:01.542{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09889825326342600C77A46F83823D16,SHA256=45B036B8F4549E341960C406DA3EB0F4331C6BC44F9981D0F5A516E6B589B874,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899686Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:10:58.414{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51981-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007992224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:02.827{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA04FB5EAC9B95C170896F93625EA4B,SHA256=9B9B88EA38C504EBC7D422857C54B48490B8086302F23E20C665A4F9A4958FBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899688Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:02.620{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCFB647D922F36917FA569C1C5E9E26D,SHA256=F9C1D2014DC9000A395E1366A0D67A347F5894B596338C2F8DEB5BA997BA8131,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899689Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:03.652{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B0ABE9A69B064DCCDFC2FFA54C1D18,SHA256=D9ADAB62FD04558C34A9CE26F2CC1D056CE3B62712CA4F1444F4AF266DC16C7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:04.187{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C09EB74C065668D38B45A7B4F39A3AF7,SHA256=3DC0BCC763AA9B6269556817ECE2F2E4B09088D89745D537440C106FDE031C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899690Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:04.667{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC1C6A9FC8EC6085CB74C30996C4A9D7,SHA256=B6FFB2BE5D384CBB1DA5390371CEA3291FA171F4B15AA9462DA5B692170FC54D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:05.562{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20C47AE9F5C823AF2A50491804378067,SHA256=83AB6794DD218F95FE4A8AA5E160069C4CB919E366FF258E2704E83BF1AB7DCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007992226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:05.562{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ADAB9DF41CAAF5BA0627FD395F213F1,SHA256=1A01F7AC95F52B8519AB17BD435FF56F5C6F85332A6E2881BF5F7CFAB73F8C08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899691Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:05.667{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8A3DE7FEF83BD56115867800209A05B,SHA256=2548905A868440FA6C51B52092A0C9D37A84E78BB16DA6BA2AF34DD04CEE60A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:06.921{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD2235DC1FADE1EF95709068525B9278,SHA256=E7AF518157724588E993A9328BA3C483A0257D748FE2075C745DBB51518CAF70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899693Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:06.699{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E8C8E8DA204B89D6600FC546F576738,SHA256=E145EA8E214508627C55694FB11EFE111B77338068E7B5E22BE6216F5794CB53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899692Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:03.493{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51982-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007992229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:04.449{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62249-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899694Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:07.763{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CDD29FB16BD96B8943C4EBDDDAAC5B9,SHA256=2CB3CB5200D874C3BB61E88392782E90EAC3A5562631A86275726791EC0F4F30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:08.280{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B0301FEC61151A42C2EDF2B619FEF0E,SHA256=6A2C362005FDD15042A36BF17CC3BA464EB11161B9AB771D4AACF603925C8602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899695Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:08.778{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27ABE96CB1D15D9259BA7EA7356F48B5,SHA256=29F2F651D37ADD917459AE88A47588FAB0B97B6536F6087EA0C3DDA483C7C99B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:09.655{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F358D1EFAF0C050897A3582DE0B5BF17,SHA256=DB24C165D30FEDDD3180CBD8D286FF96DD839DFEFB43149A631F34DA8FF3A4DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899696Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:09.778{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7215D8BDFA8DB7BEF32F8DDA1E3D92B1,SHA256=B8E70DA095008E538E43E948714FF756ABDCF1DDEB8F97B920401978317A0862,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899697Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:10.794{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C23B9BBAB196406E1566E1FFB874007,SHA256=EE5A50043E59EAE3502B53BF4DED0B588B985545FF1317DAD7C8123EF85BD6E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:11.014{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C335A3A573E6410FE3C409C332B3CAF1,SHA256=9883C2D7234FA87E97A42D9F3AECBC310359752FECAF632BD656A290E5AABAF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899698Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:11.825{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56409AC62A30D1B10C6AEDB8D664E02F,SHA256=98643CBEAE3ACA265C3ED3EA954A35F868F91477436E6747DF419C82A6570456,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007992234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:10.214{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62250-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007992233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:12.389{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=339B364120411D89101813346ED18ECA,SHA256=479697ACB968432AE08C99130F12AE9A1404612C4D3A2789C009E0BA3C79690B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899700Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:12.856{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF319B690D5A7632FF15A18250C95DD4,SHA256=2F1C063D36EFDD8E59E386FC696E061F1A20F141F233F576EC9F1FC0F0658818,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899699Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:09.494{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51983-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007992237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:13.748{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CD27A4EBEFD3C1BB7AF2E7C79E55FA,SHA256=C7A9BC24B7E8D0B2CF7DF2F590AC2C4F92D817A9736C611A39902BEEF89AF626,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007992236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:10.777{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62251-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007992235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:10.777{3BF36828-DD1D-60DD-2F00-00000000C801}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62251-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x800000000000000015899701Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:13.872{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC31B984341465846ED0AD306639B973,SHA256=C096BB9F7AA80C178EE39E96F20A2693CBD60C918D309D8435519E5A42855ACC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007992266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:14.748{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeC:\Windows\System32\vaultsvc.dll10.0.14393.4169 (rs1_release.210107-1130)Credential Manager ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationvaultsvc.dllMD5=3737D0F0B1AF96BD7EBD23D65021373F,SHA256=BA145F442F6F067AE00EC8026F48E3921A02DA18F6AA5810E136C79671C4E037,IMPHASH=B05C889F8312CB866B3AF19106933F88trueMicrosoft WindowsValid 734700x80000000000000007992265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:14.733{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\Phoneutil.dll10.0.14393.4169 (rs1_release.210107-1130)Phone utilitiesMicrosoft® Windows® Operating SystemMicrosoft CorporationPhoneUtil.dllMD5=05E18A2C7D96FEFA0633A4DF149A76FA,SHA256=97559BFED19FB5339E86F5F18E2EB017C6911D9607C29D05A0DE04ADEE7C5AC0,IMPHASH=F581F0042DDFF14CB6B738BDC330C9E8trueMicrosoft WindowsValid 734700x80000000000000007992264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:14.717{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\Pimstore.dll10.0.14393.4169 (rs1_release.210107-1130)POOMMicrosoft® Windows® Operating SystemMicrosoft CorporationPimstore.dllMD5=A2D773F58C729AA30605A3DAAF724A82,SHA256=826341BA7F1AA1509DC0A15E3F12D954422FF595CA4BA83FE55220F755529AE9,IMPHASH=E598BB6F38066FA2EAC3BB4401DEA5A3trueMicrosoft WindowsValid 734700x80000000000000007992263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:14.717{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\cemapi.dll10.0.14393.4169 (rs1_release.210107-1130)CEMAPIMicrosoft® Windows® Operating SystemMicrosoft CorporationCEMAPI.dllMD5=74F0AC38A7054B6797F7D188C8055AFA,SHA256=1F1BD8CFCB2F1E50EEEAEAEFE4E80AA787C3EC1ADD865DC36907441E540A71C6,IMPHASH=17971BEF3E13E6A3E7A4E6359B597E4AtrueMicrosoft WindowsValid 734700x80000000000000007992262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:14.717{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\UserDataTypeHelperUtil.dll10.0.14393.4169 (rs1_release.210107-1130)Type Utilities for data accessMicrosoft® Windows® Operating SystemMicrosoft CorporationCommsTypeHelperUtil.dllMD5=5436656CFA34A6F4380DD29E18F1055D,SHA256=C379DE32F56F4EA3EFE27A677B0E7D365BFA46CDDFC3E13B23A7AD8FF6AB938C,IMPHASH=FEFD49216BF0553A161376862A9144C6trueMicrosoft WindowsValid 734700x80000000000000007992261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:14.717{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\MCCSEngineShared.dll10.0.14393.4169 (rs1_release.210107-1130)Utilies shared among OneSync enginesMicrosoft® Windows® Operating SystemMicrosoft CorporationEngineShared.dllMD5=7054057D27612D7A6BC2DE6248E23222,SHA256=4CD059E6C051216B27769132E36AB402336784482044F3900848971FE3519937,IMPHASH=54E2086BE4C5B4787237E2C107594613trueMicrosoft WindowsValid 734700x80000000000000007992260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:14.717{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\accountaccessor.dll10.0.14393.4169 (rs1_release.210107-1130)Sync data model to access accountsMicrosoft® Windows® Operating SystemMicrosoft CorporationAccountAccessor.dllMD5=2AA7EF80B0B8470132840796C0E12D3E,SHA256=5B4DA1BBD11AFE45062495280753762D48FD91DD201FA62429C464332673BCFD,IMPHASH=7F1D21E34A18ED7355FC28A9289B2A19trueMicrosoft WindowsValid 734700x80000000000000007992259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:14.701{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\APHostClient.dll10.0.14393.4169 (rs1_release.210107-1130)Accounts Host Service RPC Client Microsoft® Windows® Operating SystemMicrosoft CorporationAPHostClient.dllMD5=86E8B02BC3B07497182EFF1CE26F1BDB,SHA256=03811184A77BE1B1B963B144D8A5668699BDEB1D9B59CE3F3C3DA5C44D2130F1,IMPHASH=FD5192FA7E3AECF430F117A0CED725D0trueMicrosoft WindowsValid 734700x80000000000000007992258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:14.701{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\UserDataLanguageUtil.dll10.0.14393.4169 (rs1_release.210107-1130)Language-related helper functions for user dataMicrosoft® Windows® Operating SystemMicrosoft CorporationCommsLanguageUtil.dllMD5=81F9257874073343EB7059837947A415,SHA256=9D1C4739FCB6CA78CB335D6735641C5C4951843CE858F5FC0487362BDF64AD7B,IMPHASH=34EF4260D4488E3816B585068C6E5C91trueMicrosoft WindowsValid 734700x80000000000000007992257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:14.701{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\dsclient.dll10.0.14393.0 (rs1_release.160715-1616)Data Sharing Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdsclient.dllMD5=68B9D02A469519C6BFD9F39854EE8E62,SHA256=A7646650AB50D076DBBC6E9B767565DDA71B078814BC2071BA525F118B861883,IMPHASH=F148E4E0D3E37883A6CAB6CEE53CA685trueMicrosoft WindowsValid 734700x80000000000000007992256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:14.701{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\SyncController.dll10.0.14393.4169 (rs1_release.210107-1130)SyncController for managing sync of mail, contacts, calendarMicrosoft® Windows® Operating SystemMicrosoft CorporationSyncController.dllMD5=C85E7851B725133171A1160DF9FDDEE3,SHA256=D0CBF9762D052286C575750C6BAEA77907784C581EEAD5D9FD8F9ACEF1D592D6,IMPHASH=A51DADF7A71D463A185DB77FFD892C55trueMicrosoft WindowsValid 734700x80000000000000007992255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:14.686{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\NtlmShared.dll10.0.14393.3269 (rs1_release.190929-1234)NTLM Shared FunctionalityMicrosoft® Windows® Operating SystemMicrosoft CorporationNtlmShared.dllMD5=99F4D90B3ED53855C06F856006E770D1,SHA256=A95E5823B68182C4E32CB783AD23BC4FF60690001C70E6B5E920C12740C4C37C,IMPHASH=36FD662FB3EF657597E485F3FC734A67trueMicrosoft WindowsValid 734700x80000000000000007992254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:14.686{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\msv1_0.dll10.0.14393.3866 (rs1_release.200805-1327)Microsoft Authentication Package v1.0Microsoft® Windows® Operating SystemMicrosoft CorporationMSV1_0.DLLMD5=2A725546D9B1F9DB4974A2EA4225D0A8,SHA256=46AD1AC8C7DB7D21E8F41EFC734B855CEE566CB58F8FB825775490DC5DE89C94,IMPHASH=A243271C363636A670D5D150D4D338C9trueMicrosoft WindowsValid 734700x80000000000000007992253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:14.686{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\bcd.dll10.0.14393.1794 (rs1_release.171008-1615)BCD DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationbcd.dllMD5=8CCF9CCA4EEEC2594793B33F487FD327,SHA256=6C0601675E07083C28199BB7933A2CF5EF3784DC243BD030EB963052C3C4D4CA,IMPHASH=13F6727DFBA0EC436911ACC99667406EtrueMicrosoft WindowsValid 734700x80000000000000007992252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:14.686{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\FlightSettings.dll10.0.14393.4169 (rs1_release.210107-1130)Flight SettingsMicrosoft® Windows® Operating SystemMicrosoft Corporationflightsettings.dllMD5=E965620C8A8B87743913620A2908E5BA,SHA256=6DA3834B404BB808A7BDD325E1A579C51B801DB3CD3B2B62FE76BF2885D46BF8,IMPHASH=150C278E26AD9589A09DAF64F8703678trueMicrosoft WindowsValid 734700x80000000000000007992251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:14.670{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\InprocLogger.dll10.0.14393.0 (rs1_release.160715-1616)In-proc Private Event Trace LoggerMicrosoft® Windows® Operating SystemMicrosoft CorporationInprocLogger.dllMD5=14595E85CE1907226B161F6C5F01E86C,SHA256=CD6EE7DAE1CC1CB22AF438EC9439303C955B09C929E37838B96D1B06DBE0CE61,IMPHASH=996EC9118BB9EBA8379EFB3422E9DF28trueMicrosoft WindowsValid 734700x80000000000000007992250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:14.670{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\syncutil.dll10.0.14393.4169 (rs1_release.210107-1130)Sync utilities for mail, contacts, calendarMicrosoft® Windows® Operating SystemMicrosoft CorporationSyncUtil.dllMD5=43C83B5EFECE7346BDA668DA2A5E85A1,SHA256=CCE3C727C88835193054A672C9BEED9982820F6C918161CDE31BFA0993CC6282,IMPHASH=72645E06157A5DC67ADBFE038CF4DA67trueMicrosoft WindowsValid 734700x80000000000000007992249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:14.654{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\networkhelper.dll10.0.14393.4169 (rs1_release.210107-1130)Network utilities for mail, contacts, calendarMicrosoft® Windows® Operating SystemMicrosoft CorporationNetworkHelper.dllMD5=E1E56EA7306DE82D826B76C2F7C53483,SHA256=C9141862A72832540818755AA11ECF4A28552F9412F615F2895A0C5CEE2466EE,IMPHASH=A0D223BE1C19E4AAB07BD0EE9E059EE3trueMicrosoft WindowsValid 734700x80000000000000007992248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:14.686{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\npmproxy.dll10.0.14393.4169 (rs1_release.210107-1130)Network List Manager ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationnpfproxy.dllMD5=4D76C6FAF3D01B31A68C9ABF95F4B7D4,SHA256=9B771613C067880E99ED3D68E6C2A43C6B252E899D44682ADEB5A7F02E925920,IMPHASH=55727E718711848BBCDC7F433974B473trueMicrosoft WindowsValid 734700x80000000000000007992247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:14.686{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\policymanager.dll10.0.14393.4169 (rs1_release.210107-1130)Policy Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPolicyManager.dllMD5=58677E3FBF7D29109E8EB578062F1C81,SHA256=F751521EBC10CC1F0BC6AAB2715B9169439A014F178A7D6880080567D880C103,IMPHASH=E1BC13C6E7766D0332C0420A512C2799trueMicrosoft WindowsValid 734700x80000000000000007992246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:14.654{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\UserDataPlatformHelperUtil.dll10.0.14393.4169 (rs1_release.210107-1130)Platform Utilities for data accessMicrosoft® Windows® Operating SystemMicrosoft CorporationCommsPlatformHelperUtil.dllMD5=C36730FE1B3B87FCFE0D96AD88D14C2E,SHA256=9663F24C289081C6139106DD684BF390A329DD1CF564876A9C14695A721B6992,IMPHASH=43474657F84DD1E2AB506DD499B4812EtrueMicrosoft WindowsValid 734700x80000000000000007992245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:14.686{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007992244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:14.686{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x80000000000000007992243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:14.654{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\MCCSPal.dll10.0.14393.0 (rs1_release.160715-1616)Platform abstraction layer dll for MCCSMicrosoft® Windows® Operating SystemMicrosoft CorporationMCCSPal.dllMD5=C9719D9949646B6B6563263CC3599A66,SHA256=32EED915BFB3A95E19D762895202226EF9FA9A28DCC17F2C910B9A0CFE549EEB,IMPHASH=AC50448D3AA73CA722CDA14259602222trueMicrosoft WindowsValid 734700x80000000000000007992242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:14.670{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x80000000000000007992241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:14.670{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x80000000000000007992240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:14.670{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007992239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:14.654{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\System32\svchost.exeC:\Windows\System32\APHostService.dll10.0.14393.4169 (rs1_release.210107-1130)Accounts Host ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationAPHostService.dllMD5=E9303A40B6621C4D7615AB7F2EF6FD85,SHA256=60B42358F4B346114EA37E5600C11D637269B17A4BB992659F613B6B58257E67,IMPHASH=C283CC65582F5126132B2A0837C4AA59trueMicrosoft WindowsValid 23542300x80000000000000007992238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:14.436{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=135890E1E720A40AAE9A8316FDD370CF,SHA256=B1CBD5DF7CA95AE1F5F948A6615CBC661EF6640AEC3C9E77283FF456ACCEEEF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899702Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:14.903{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9316CD3A13999371BE49DAF6984DF7F7,SHA256=A27758FED7C89FE4BD18BEB363A9BE4BE4D23C9C98C8BBC0D5FBB2D397A0C2FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:15.795{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=957593537DF6A18F59C68340823CE114,SHA256=755031EDD963FA8B40B5CAC5DEA8F45AB058DDAA1055EA303C2B69314757A82E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007992270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:15.795{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F92C6777AF91CB1ACB4DB7CBF5D50954,SHA256=648827F5D0680801944EB78C328699D45B5CC2827039205AD1FEDFF34A9CBD97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007992269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:15.795{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=574614C12B44E675D7F1D66FFB23AB4A,SHA256=6B4DC02B8C37E98DB0E94DECD888EC5F843FD0FC4FF94468AFE03F613567E065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007992268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:15.264{3BF36828-DD0B-60DD-0B00-00000000C801}652NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.datMD5=93B885ADFE0DA089CDF634904FD59F71,SHA256=6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x80000000000000007992267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:15.108{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A3CDD0AF5BFDB0531A1689A9DA582C9,SHA256=FA555FFEF9A86F64BFBC5E71F4E9A286E968CBCBCD9C8116F22DFB44FBCBAC1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899703Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:15.919{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59012D0817B14FC6DE182CEA32DCFC97,SHA256=27F37A9EA656C903CA47BA203E6CEDEBE0BC49D92FE0A1E3E3514BAA4F44390B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899704Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:16.935{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7112486F4E1B353ABF94A2B1E55650D3,SHA256=7ADC959121E2E3937836F38A4DC4502060FCF454130E961268B0047D72741ECB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007992277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:17.358{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\ieproxy.dll11.00.14393.4225 (rs1_release.210127-1811)IE ActiveX Interface Marshaling LibraryInternet ExplorerMicrosoft Corporationieproxy.dllMD5=09F1A9B8D64253FE8F9D7F7D247C77ED,SHA256=1613206B13D753703ECFDE8E440D3D9F32289E4C4A274CC05A929B458EE7A1DD,IMPHASH=52E844121DC5187B35C8EA9A7A9A6AC2trueMicrosoft WindowsValid 734700x80000000000000007992276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:17.342{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\hcproviders.dll10.0.14393.0 (rs1_release.160715-1616)Security and Maintenance ProvidersMicrosoft® Windows® Operating SystemMicrosoft CorporationHCPROVIDERS.DLLMD5=C15D299122361895FDFFEF185CF363C2,SHA256=997BB195586586F674F9DC6139FE83B500916955D71DE2D59B0997578A324975,IMPHASH=BE249E0B8CCB9D0F278C11203CB2B06CtrueMicrosoft WindowsValid 734700x80000000000000007992275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:17.342{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\msxml6.dll6.30.14393.4402MSXML 6.0Microsoft XML Core ServicesMicrosoft CorporationMSXML6.dllMD5=B180CFB17D7039CAC46371B8CA857F22,SHA256=C62664A4AA96626864D394EC99F5562DDC59C1CF4DF57AF8E699079F16A85695,IMPHASH=A74F148CA887740D0E045C70ACC762EBtrueMicrosoft WindowsValid 734700x80000000000000007992274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:17.311{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\wer.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=65C4FEDB972CDE71C2AF0F5AFA1C1C15,SHA256=63C1A7AC782F15980F47972E5B481C2E80EBCD1A2A497EAE93F469BD266CC638,IMPHASH=64F80A25C9178937C2771969A7448641trueMicrosoft WindowsValid 734700x80000000000000007992273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:17.311{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\framedynos.dll10.0.14393.4169 (rs1_release.210107-1130)WMI SDK Provider FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationframedyn.dllMD5=F5BCBB0713FF862975B07056D25E166E,SHA256=DBB3B6E35E0FEF5B878DE8C85AF578B51C1C2DB025865354E27394AEA87824B2,IMPHASH=AB84E6F170EE70C2F0F5C709A85E872CtrueMicrosoft WindowsValid 734700x80000000000000007992272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:17.311{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\werconcpl.dll10.0.14393.4169 (rs1_release.210107-1130)PRS CPLMicrosoft® Windows® Operating SystemMicrosoft CorporationWerConCpl.DLLMD5=65E57C3B334B11F9A897CCDF25149004,SHA256=3E489B937191FF39ECB0069906232DAE77C107852996958FE60E866117A1C6E2,IMPHASH=83071332CACAC8689D27E6A494F17982trueMicrosoft WindowsValid 23542300x800000000000000015899706Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:17.950{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64540FAC3A00D5C1DCE4B514F3033D66,SHA256=B15FD449C342F65F191589B0E8AEA170C3EBCA84836D281D777DBF01F8D95EC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899705Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:15.526{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51984-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000007992329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.639{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007992328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.639{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007992327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.639{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007992326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.514{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007992325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.514{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007992324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.514{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007992323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.514{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007992322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.514{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007992321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.514{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007992320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.514{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007992319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.514{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007992318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.514{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007992317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.514{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007992316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.514{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007992315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.514{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007992314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.514{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007992313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.514{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007992312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007992311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007992310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007992309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007992308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007992307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007992306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007992305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007992304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007992303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007992302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007992301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007992300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007992299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 23542300x80000000000000007992298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D9FE0BA70B35D23471C2CCA584DD387,SHA256=FD5DBB8FB69AB415B8FE07B5EC3AC4A4FAFA624368F00D21830A807B66DE57FE,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007992297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007992296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007992295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007992294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007992293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007992292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007992291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000007992290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007992289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007992288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007992287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007992286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007992285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x80000000000000007992284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007992279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.498{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007992278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:18.499{3BF36828-E926-60DD-1902-00000000C801}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899707Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:18.966{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=682FAFF5EA09F1E1A9515648FFC3659D,SHA256=AE49C87E814E1950D04380A66DB850A0616A3C6EC2D0A6ADFCD1C77F12125A7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007992382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.623{3BF36828-E927-60DD-1A02-00000000C801}41483932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007992381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.623{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007992380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.623{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007992379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007992378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.498{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007992377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.498{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007992376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.498{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007992375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.498{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007992374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.498{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007992373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.498{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007992372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.498{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007992371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.498{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007992370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.498{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007992369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007992368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007992367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007992366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007992365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007992364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007992363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007992362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007992361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007992360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007992359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007992358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007992357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007992356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007992355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007992354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007992353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007992352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007992351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007992350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007992349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007992348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007992347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007992346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007992345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007992344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007992343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007992342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007992341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007992340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007992339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007992338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x80000000000000007992337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007992333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007992332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.485{3BF36828-E927-60DD-1A02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007992331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:19.483{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6431F162A1C96D7158AF9489894BBFE,SHA256=E3FA4CCE37DB8AFE0D3D02CEFBA2B26525ABDE8FBD2D89DD86C26641D9FF8C86,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007992330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:15.214{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62252-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899708Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:19.966{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F853F9C2AE91DF2184C1DD9768D4EE44,SHA256=089B6BEF96F04FE0BB5C3078CB0C3F5BA55493832998508169972069AA0AC177,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:20.905{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63382FDD1399D34E1EC8B83FD2B3839A,SHA256=25A3E986639F3BF7580E1F1158839BBD4F102C64A458AFC575E467A796C9D5F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007992383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:20.201{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B70C1C61420592F2E2B7149EF3820B,SHA256=AA7B025D31A54EA31BF60CF2E36F59C062CE06878A2BFF4F0832AB2E9C68C48E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899709Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:20.966{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F09A781CFCC2D60D89DB78BA4F1AFE84,SHA256=096774BB411CA4093BFD86116ECBEC6A5A940198FBDFEFEADEECC76FC54D6636,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:21.592{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BD21BCD2967A65351902A3F9FD82466,SHA256=0247F38070D94B85162F8CF05DB743F279C9A4CE2F5D80BB64BEDD2DF5503F1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007992385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:20.998{3BF36828-DD1D-60DD-3000-00000000C801}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007992387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:22.280{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE89D6CF6019BF062754F5432916D695,SHA256=899BFBD3C6A840CE2DCD26DE4DF8622CA103EBB681A470B6D2E5B725A0C1C80A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899710Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:22.028{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB2C990F0958D63B92BA8495E0F4BA5,SHA256=BB8D8E7E07A7043F8FAB7D28EDD82AA3E2C3C14F1DD272DDFD93DE5652D5168C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.764{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9852AD2AA410220B515D64427B1AF5A8,SHA256=2E1CF03F5AA2E49A2B9B4C0C6EB4BA76A4F7F19C1AE89ECB9698A61E252F1DAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007992443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:20.183{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62253-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 734700x80000000000000007992442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.170{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007992441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.170{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007992440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.170{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007992439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.045{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007992438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.045{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007992437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.045{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007992436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.045{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007992435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.045{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007992434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.045{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007992433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.045{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007992432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.045{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007992431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007992430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007992429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007992428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007992427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007992426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007992425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007992424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007992423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007992422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007992421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007992420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007992419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007992418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007992417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007992416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007992415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007992414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007992413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007992412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007992411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007992410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007992409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007992408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007992407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007992406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007992405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007992404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007992403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007992402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007992401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007992400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x80000000000000007992399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007992398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007992397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007992396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007992395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x80000000000000007992394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007992389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.030{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007992388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:23.032{3BF36828-E92B-60DD-1B02-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000015899712Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:21.556{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51985-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899711Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:23.044{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BFB7F3525B05F579F7D31746B1CFDC8,SHA256=C6AAD413AE475A867FE41D937811E03B60181CC8AA159FD7A0FBD9198D99581A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007992496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.576{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007992495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.576{3BF36828-E92C-60DD-1C02-00000000C801}11844904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007992494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.576{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007992493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.576{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007992492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.467{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007992491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.467{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007992490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.467{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007992489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.467{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007992488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.467{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007992487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.467{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007992486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.467{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007992485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.467{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007992484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007992483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007992482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007992481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007992480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007992479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007992478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007992477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007992476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007992475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007992474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007992473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007992472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007992471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007992470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007992469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007992468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007992467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007992466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007992465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007992464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007992463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007992462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007992461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007992460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007992459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007992458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007992457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007992456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007992455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007992454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007992453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007992452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007992447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.451{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007992446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:24.453{3BF36828-E92C-60DD-1C02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007992445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:20.276{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62254-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899713Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:24.059{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4038B04B9DF53F8008451D9A71BA4E2D,SHA256=872A125D63573631A5EF0F4332701A81D21F2552F600472EB63D807C4B13769E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007992600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.967{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007992599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.967{3BF36828-E92D-60DD-1E02-00000000C801}39602084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007992598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.967{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007992597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.951{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007992596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.842{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007992595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.842{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007992594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.842{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007992593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.842{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007992592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.842{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007992591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.842{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007992590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.842{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007992589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.842{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007992588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007992587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007992586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007992585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007992584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007992583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007992582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007992581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007992580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007992579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007992578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007992577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007992576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007992575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007992574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007992573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007992572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007992571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007992570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007992569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007992568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007992567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007992566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007992565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007992564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007992563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007992562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007992561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007992560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007992559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007992558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007992557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007992556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x80000000000000007992555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007992550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.826{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007992549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.828{3BF36828-E92D-60DD-1E02-00000000C801}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007992548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.280{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007992547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.280{3BF36828-E92D-60DD-1D02-00000000C801}3483704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007992546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.280{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007992545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.280{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007992544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.155{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007992543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.155{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007992542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.155{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007992541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.155{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007992540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.155{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007992539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.155{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007992538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.155{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007992537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.155{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007992536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007992535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007992534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007992533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007992532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007992531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007992530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007992529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007992528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007992527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007992526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007992525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007992524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007992523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 23542300x80000000000000007992522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75376B6F67A0331E49893F62763D7619,SHA256=C37638F14B87E5135E62CC812221371BFF0429B24E68D993F56094385C44F3A3,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007992521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007992520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007992519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007992518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007992517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007992516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007992515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007992514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007992513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007992512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007992511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007992510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007992509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007992508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007992507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007992506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007992505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007992504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007992503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007992498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.139{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007992497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.141{3BF36828-E92D-60DD-1D02-00000000C801}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899714Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:25.059{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB249334463FE5E982F228D586ED61DD,SHA256=BE5CD045E1944541095CDA0D15DA81098BC8E226F434E64F644337CF04B123B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007992652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.701{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007992651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.701{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007992650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.701{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007992649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.576{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007992648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.576{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007992647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.576{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007992646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.576{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007992645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.576{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007992644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.576{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007992643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.576{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007992642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007992641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007992640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007992639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007992638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007992637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007992636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007992635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000007992634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007992633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007992632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007992631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007992630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007992629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007992628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007992627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007992626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007992625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007992624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007992623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007992622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 23542300x80000000000000007992621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=554CB999853F07B90BC71F185BD50B4A,SHA256=19E016660A631F4E1F85A19EA4FB7BF76930D9EECBF6F105CD75BBBFD5AF07BD,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007992620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007992619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007992618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007992617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007992616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007992615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007992614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007992613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007992612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007992611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007992610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007992609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007992608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007992607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x80000000000000007992606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007992602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.561{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007992601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:26.563{3BF36828-E92E-60DD-1F02-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899715Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:26.091{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6EEABBC94C1349094E0AF2561F64AC1,SHA256=6F803F5A0D9AEA30D13388AB6C61BB6FCAD4CFB62F0173A9DBBFFF1DFE7854B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:27.984{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B52F248BBE2D5A03DBACE6203189F8D,SHA256=625C5D67EC499F7AA2CA2B2E1F4659F3AB96B154C0939C0B35EA2289FA442113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007992654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:27.984{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F98434E96BA78614E1C4C060325BFA03,SHA256=7FD820DB77433BF5F477E23F3E0E48ED03544B7D85E025A43B3532952E2E15AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007992653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:27.248{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610B4A91B6DF1E9F7D17EE6FF9187D64,SHA256=2A49AB23A961E9E3DE180014ACF5726A8B5DDE8D14756403B54A6EC8084CC08F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899716Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:27.106{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E77B471F2EBD2BE6EB9B755BCD9D023,SHA256=09FA1640227B8CA20DCB97437EEBE534DD2E6D321DCB2B36468459DDDA7CC00E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007992656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:25.292{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62255-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000015899719Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:26.572{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51986-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899718Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:28.529{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899717Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:28.108{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C31A099E2700D3453EE8B20E8C529562,SHA256=844A21F73F0212A241D058A4E12582794577AE47FA8E097BC35932CDEE3180A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:29.406{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C926A04C947D1D6C2D35955F09F2E1B,SHA256=DE534FD74C47FE99485486E217C7798667510DCDC9468F69A29E3D828B78A0A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899720Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:29.123{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC58D29E3A250DD4E593ABC13CEEF713,SHA256=CB8F65D0C612859D87373FC99EEE1446F1EBF5CCC2AA6AC39243B7B0BF3C2F3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:30.875{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2814CD7CE9539F6AB4BB988552182F26,SHA256=256880A22B9A8F5CD3A6DA3726953536A02A177A21012FC77FB61DBADA3D0C1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015899722Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:27.823{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51987-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015899721Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:30.154{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A13877D89D7650A4A5644B34EFE34080,SHA256=75C73A7B11BAB1C86CAD7955C14BA526F48ECBF9336339B290BB18CFFD702A98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899723Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:31.186{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD749ED20AB2C5AA13F8D2F14F1C6035,SHA256=B9E64F1A101BB43D98CDC50CC3ED5055BADF8190B0B78F21B49D03D570167CA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:32.250{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EDEAD95CE97E242CF2231968D7A0553,SHA256=F8D7344D8594DC5F071BD5D0A78CC13464AF7FD8B6469386487692C8B5045CD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899724Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:32.217{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=463E2B83CF22073A6C76D6DE3E0C4DB2,SHA256=237A996A7736D351C73ACCFE372D327E31CB21E9A7F8A8664EB23427AF4E37F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:33.625{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88EBEA2319720E505DA49157E56FB998,SHA256=481B81A78E8B88360A537B74307D21B7709A01B1D20BAD874466B0FF52B68D6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007992660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:30.371{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62256-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899725Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:33.217{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=784DA8DE78959E9E797747E84FDA4C41,SHA256=EF20C3BDA6CFDA7DBD1A49DB6D9718D9489F4F9C82D93F02C115FC2B8DD45044,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:34.984{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0F827F4968E0FBBCE4647CC95AFF0FD,SHA256=A708DF21A1B8CF1FF8791B2A97F14DF2B3C32D339CEE3E409FC5DC0082EC32E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015899727Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:32.433{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51988-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899726Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:34.264{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAFC37BF10E16270D3226B99916B4832,SHA256=E07CFE0D476A70CE1AD06C49ABE71EC94ED8F0AE5F15BAD348A6A217E3563EDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899728Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:35.264{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBEFEBABE8077357EC3B980DDACB9BB2,SHA256=6472F5FE170E5E2ADF5C81632362CD420187719FAF44B2ABED2246B2EFBC1AE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:36.343{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367AAC1B5B1D6E0088F8B44DF264B4D9,SHA256=4405FFFB2BFC829F31B0896ECF19436039A573DB7EC63AC4C0159CE048772F2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899729Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:36.264{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4EDEFD7D523BA67DED98303708E2C36,SHA256=11ACBFEB1AB9A7F455051B16A85657884871EC349FE76FB8DF1171CE0AC27E03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:37.718{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9656356E6B06A512A9C20C520C82221,SHA256=55571FAC42B2BE3F7D23BD4EA2A85FB59C177F6F05B330FBA833B7D393017B5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007992664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:37.031{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCF868A2EBB445B6BC3D6D62A4E4F9E5,SHA256=5FE2A693FA6E40CC3694ECC27DC475982862BE76700C99468B167483D94DCDF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899730Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:37.311{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EC12D07D88D41D30841959D0BBCCDF8,SHA256=841209517F5D7A91A40C0861BF88932ADDA6E40F914C293BD4219F1BBEA9C166,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007992666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:35.418{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62257-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899731Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:38.326{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66809A04713A44B3FE77BFD64745D321,SHA256=DB90443C01360BA3064DFF86A32DCB781DF8D4AFF195A8AA9983367D08270F07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:39.078{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCCC8DFC7CE3CB2D18ABFB5B02269778,SHA256=6E0B03DD49F91456C8031F260457363DAC61E808540009C262073CA6E0DB892A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899732Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:39.373{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA2AB5BFB4833F615D810B6D6A300D6B,SHA256=3898C096AA1464FDC64EE147BB495412F17CC48F812ED5184007E5CD29DF639C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:40.468{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05A3CA1338982A6824C086336DB12E54,SHA256=B0D888C490981EAC14ED3B0D56BA374B3387A8D7EF39B5E34AB8A47F9D0F5529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899734Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:40.420{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B3C793E8244AFEDFE66FA9C2E45C0D0,SHA256=7E9A394EABC2EE75D8C3DB933873AF2CFEDF632832835D68173F8AE7CC5CE257,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899733Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:37.542{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51989-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007992669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:41.843{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F00881791DFE80233609E1C41B357D,SHA256=A8DF2C7B64A81FF4521630E0C29E06AE059D57C0E8F69C78AF0B6C6276984F1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899735Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:41.420{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CB73961BDF777A6D1C69B74288D232D,SHA256=6C81A8519327FBEBB8CFDE1573933026ACA4B0C758E0E871EA0D74DA8A19B842,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:42.406{3BF36828-DD0D-60DD-1200-00000000C801}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9EB6321C47832140765C673DD5A83FA4,SHA256=FA5936A6B2872D39C8925B18989CE77C7F4647385E28D16F23CE384FBA9E76E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015899749Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:42.889{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E93E-60DD-472A-00000000C701}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899748Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:42.889{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899747Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:42.889{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899746Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:42.889{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899745Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:42.889{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899744Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:42.889{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899743Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:42.889{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899742Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:42.889{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899741Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:42.889{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899740Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:42.889{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899739Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:42.889{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E93E-60DD-472A-00000000C701}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899738Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:42.889{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E93E-60DD-472A-00000000C701}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899737Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:42.890{B81B27B7-E93E-60DD-472A-00000000C701}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899736Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:42.451{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DC903345C4C37D1D5E430B15F2492EC,SHA256=F062CF3C70A882A49B7DEEB55FEE9346A3C857DAC69E526F2D66140BDA1192FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:43.203{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D92F27BC6B733B0F15C10E5B3128FCC,SHA256=6B107144EC827B8AB97418123D8B3B2D07DFE690D00DBD257A41E06B0E42B288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899794Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.920{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DF3890F55D59F5D00287504418D299D,SHA256=749AB6AD5CA240B23572BE1C29A3A8CA15B9E6EFB45F2CEA03EBFE7FF32AE045,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899793Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.920{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3505D525BB2C81409C08C86474A77B3,SHA256=A6B944F8FFF620B9CB991A22BABC572F1A76B2BAE413D537F777A238232FFABD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015899792Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.654{B81B27B7-E93F-60DD-482A-00000000C701}53042960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899791Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.514{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E93F-60DD-482A-00000000C701}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015899790Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.514{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A6E64B7D54D6BC3EE0B58EE24B2FF30,SHA256=E314FC08F9C5FFFD110341A4BA17DEEF72524F03B6E4B870C1EBD9277EAD51CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015899789Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.514{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899788Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.514{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899787Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.514{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899786Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.514{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899785Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.514{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899784Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.514{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899783Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.514{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899782Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.514{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899781Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.514{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899780Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.514{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E93F-60DD-482A-00000000C701}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899779Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.514{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E93F-60DD-482A-00000000C701}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899778Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.515{B81B27B7-E93F-60DD-482A-00000000C701}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000015899777Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899776Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899775Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899774Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899773Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899772Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899771Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899770Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899769Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899768Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899767Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899766Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899765Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899764Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899763Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899762Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899761Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899760Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899759Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899758Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899757Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899756Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899755Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899754Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899753Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899752Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899751Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899750Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007992673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:44.578{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5E7FBBC0B3C32E38329DB5D255DF7B5,SHA256=9E428359BBB426F2695A59C6B8E17CA19E1AA26D2F2FC61552FEAE00FF1C8FB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007992672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:41.246{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62258-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899808Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:44.764{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA9237B25525DB71493B302D1EFA173C,SHA256=72FEC22CE6EEDA15DF75ECDA99160A4A44E15D31CEEE6D5AD7540BDD6866022B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015899807Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:44.139{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E940-60DD-492A-00000000C701}5896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899806Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:44.139{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899805Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:44.139{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899804Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:44.139{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899803Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:44.139{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899802Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:44.139{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899801Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:44.139{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899800Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:44.139{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899799Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:44.139{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899798Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:44.139{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899797Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:44.139{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E940-60DD-492A-00000000C701}5896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899796Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:44.139{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E940-60DD-492A-00000000C701}5896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899795Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:44.140{B81B27B7-E940-60DD-492A-00000000C701}5896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007992675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:45.937{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B659E30742F21BCCADC137E4E65A24FC,SHA256=01F8983107F86764C6B4E51B2F6CACB2FEDFE2A5620E7E6B304646F210BA8A53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007992674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:45.937{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02CBFB5606411DED93EEC4634F481B8D,SHA256=68CEE382BDFD58FD433592EF5027F883DF76CC39C8A1BEEA8256DE172BAE7E00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899810Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:45.857{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9E51262A50B963B31B39A5F2A747EC9,SHA256=3E96EA6840D228ED51C03EFCD70014CABF8F4B2584B6E328F5F1342D7A87FABE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899809Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:45.154{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DF3890F55D59F5D00287504418D299D,SHA256=749AB6AD5CA240B23572BE1C29A3A8CA15B9E6EFB45F2CEA03EBFE7FF32AE045,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899812Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:46.873{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1647C7E3E8E5AD8EE5A643F25BE267FC,SHA256=87C9512BC9D6BE13EA9F6CB4D1ADB6D9BA7375B2AC323B8639E37902BC2291B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899811Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:43.370{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51990-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007992676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:47.312{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CA8EF8F05EA00629E6686B0B37D422F,SHA256=B6407AA81BE892CF33EF70AE874E6FC07F54664C7F55CA6FE5301FC3D4F59901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899827Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:47.903{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6EE841F8E4CA163ADF0A606209A5A10,SHA256=F48A391A393CDD11275E3293162E1F1206D974AACAFB3348C81099316964C7D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015899826Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:47.544{B81B27B7-E943-60DD-4A2A-00000000C701}31083844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899825Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:47.404{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E943-60DD-4A2A-00000000C701}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899824Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:47.404{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899823Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:47.404{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899822Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:47.404{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899821Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:47.404{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899820Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:47.404{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899819Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:47.404{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899818Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:47.404{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899817Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:47.404{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899816Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:47.404{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899815Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:47.404{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E943-60DD-4A2A-00000000C701}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899814Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:47.404{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E943-60DD-4A2A-00000000C701}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899813Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:47.405{B81B27B7-E943-60DD-4A2A-00000000C701}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007992677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:46.339{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62259-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000015899859Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.903{B81B27B7-E944-60DD-4C2A-00000000C701}14285280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899858Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.747{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E944-60DD-4C2A-00000000C701}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899857Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.747{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899856Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.747{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899855Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.747{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899854Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.747{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899853Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.747{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899852Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.747{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899851Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.747{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899850Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.747{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899849Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.747{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899848Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.747{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E944-60DD-4C2A-00000000C701}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899847Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.747{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E944-60DD-4C2A-00000000C701}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899846Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.748{B81B27B7-E944-60DD-4C2A-00000000C701}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000015899845Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.622{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1500-00000000C701}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899844Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.622{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1500-00000000C701}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899843Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.622{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1500-00000000C701}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015899842Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.419{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33A8F343EE5069E880080F059E58592A,SHA256=4C7F998C6BD32AE8018C1DF015B6D78832368122EB11535F2311CAD72A56554F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015899841Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.232{B81B27B7-E944-60DD-4B2A-00000000C701}52082324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899840Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.075{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E944-60DD-4B2A-00000000C701}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899839Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.075{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899838Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.075{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899837Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.075{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899836Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.075{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899835Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.075{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899834Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.075{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899833Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.075{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899832Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.075{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899831Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.075{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899830Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.075{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E944-60DD-4B2A-00000000C701}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899829Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.075{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E944-60DD-4B2A-00000000C701}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899828Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:48.076{B81B27B7-E944-60DD-4B2A-00000000C701}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899874Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:49.778{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7E9D17F2EF4DF7E8A9D0A12311F827C,SHA256=F6FA3F8017837F90B13D9457BC1E026B5720C0EBD6591EE0D1B89C1CDE47EEEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015899873Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:49.419{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E945-60DD-4D2A-00000000C701}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899872Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:49.419{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899871Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:49.419{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899870Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:49.419{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899869Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:49.419{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899868Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:49.419{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899867Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:49.419{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899866Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:49.419{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899865Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:49.419{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899864Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:49.419{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899863Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:49.419{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E945-60DD-4D2A-00000000C701}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899862Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:49.419{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E945-60DD-4D2A-00000000C701}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899861Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:49.420{B81B27B7-E945-60DD-4D2A-00000000C701}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899860Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:49.060{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F42428F2711C3528CFE9205C9BCB2F96,SHA256=37BC7AC706928D17B30BCC42D2E12DEF4BCE90DC348DF13A704D83DA0FC6CA44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:50.343{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=531FB24077680B9BE60653FB411BC785,SHA256=183A8D14FC1F751CD4F4888213CBF28551E0CCAC074408C3428C1C168F8F55A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899875Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:50.216{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F35AF64BD237B48881FB64D08EEBC0,SHA256=EC001B2E06CACC5E7D06CE16A66F5CED651DDBE5C5978BAA91913D7489E47CE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:51.732{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB68891D20BD667D3E64F15891E816E,SHA256=F57F2F9B56BECAC0FFE580075F12215DA66E20FFDC7ECA4406CAA9AEB7B5FB4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007992679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:51.044{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAEB1B1638DFA50FDD059525497FF67F,SHA256=EDF063AAA6B4DF192FFEC280B067D6053EF9AB1C532DAE372794E2845B706A9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899876Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:51.247{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0E4F73F699214B2F04E9DF19FFC16A9,SHA256=8FDF11D4E9C90C5FD75818C8C439D218C0AB495D9DE93E0D769FB1BEA59B3C1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899878Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:49.400{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51991-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899877Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:52.247{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0F3C9E25F5355ABE976753354DEAC36,SHA256=B0785F4AB3D216092EC69817B70356635F49D39230637191483BE7AC6797852B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:53.094{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C47E461DE4713C5BE8A991E414F8509,SHA256=17BBCEA2EAB3909929C87BA88200BBB3FECE885A528E032E375A3B2018221B48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899879Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:53.278{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E98F56B4C0BE4EC05E90522BE558AB9,SHA256=F37558AA6DA851B62A3645A4689147D2F6FC4FB867A4FA1DC61564982ABF1F56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:54.469{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D49433AFA5C2813D10DBF25AE25250C2,SHA256=5B9D4808AA33A4CCAF631047FC63F29C5189B4B37F7D231397F5AA1175BD5008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899880Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:54.294{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4411E274A1D3FE6A68BB59BFF0A4DDED,SHA256=0509DCAB411EDE62B1E60CC373172D81600287641E80F79A28A948B695182B94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:55.828{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5821523C269EAB54045C8EBECCD0DA9,SHA256=9EA8E8E2D092BE23F1E0AFB6CE37749EE8A5E1DB9D3A5E784DEF7F274325B851,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007992683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:52.278{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62260-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899882Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:55.372{B81B27B7-880A-60DC-1000-00000000C701}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0A50D22FB4562994FBD938CD6B5F78B8,SHA256=ECD942123D214FC4044346FCC59DE64BDC3AB8A85A14CF0E6DB5AC4BFC33733C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899881Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:55.325{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3EE6A38274FBBAAB1B5A78B0C568C8,SHA256=6395F47631FEC6FA3E4CC895C28F71960A961CB5828FFE16AAF7187390BEA9E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899883Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:56.325{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF3266EA8915DFFD45C567D57E8224BA,SHA256=56972CAAC59E2347C35197ED74AD933DDB17232D290772BB0ADC780DF5687415,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:57.188{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1065AAE55A37B4023904CDA52E60A995,SHA256=298942C6C4D23072A36B96C1D396F51BD34090A6BB4A4A2AA937BFF30193801B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007992685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:57.188{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE96AA25728D6DCCF844D53B37ECDBFF,SHA256=592792DE682D828EF0A7985DAFE69BB358375FDB3B0537D32390E17021FCC0AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899885Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:57.326{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F024251C9222CC7A73340A367097B4CF,SHA256=835E7E76039FAF57D6F8A36C8187DC70FABDEFF42045B1203E0AC91CB185F892,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899884Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:54.525{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51992-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007992687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:58.563{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6FE131A53BEB3A854A3F84BDF50F529,SHA256=D1A904009C3ACB7C574DD391C9C7931013CE44CCDFAA328817426DDEA6246FE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899886Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:58.371{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AD6DA220B4C534D33EDD071BCBDF675,SHA256=A79B845A5C3EBF8C6C4E8E3F17B0A1260F14DAD20D6A2AF0A0A6F7DF0617D071,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:59.922{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E330896908965EB09339767FDC5471,SHA256=D44E9B3EE19850B40476187EDBAE134A38AF8642462D020191C931861467BCA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899887Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:11:59.406{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=374AA7472D55C9D36553899CCB6F2513,SHA256=030BCD3872CBEE84F22CF10509632DF510871E97105F31DE1BDA9A33578A6379,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007992692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:00.813{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1600-00000000C801}1320C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:00.813{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1600-00000000C801}1320C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:00.813{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1600-00000000C801}1320C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007992689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:11:57.371{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62261-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899888Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:00.422{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD28C86F38C6B2360A37AE5B70FADCD6,SHA256=BFB67D04A93BF72782FA263E8C7F1F65CE4800F6D7AD8BBB99E119F29B82A5CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:01.282{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FD5DE8CD25B9DB377A8FD22783B1306,SHA256=212927DCBC2F7E0944235C21F2E5F631B3E45194F133403A25C746BF0D4A819E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899889Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:01.422{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0DE0D26EDD66F711F6D94829B43B2CB,SHA256=2F50ABA62BC0000D5838E25C7E13BB9B1D0AA7E7173A2CF72D1F0846F3AF8060,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:02.657{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB0B3311243E62744CE1BCE05966565A,SHA256=2978EB4B5B01191AD407F7AB9397F23FC840E5D22CFD244E30BAF62C43AA0FC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899891Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:02.469{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B460DCFE330633650A59CB032B10D5B,SHA256=0144E0DBED5F8E81A93C6A4D3AD3039E0DDBA5D91DAA253B416764E4EAF9DA94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899890Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:00.341{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51993-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899892Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:03.500{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6616A053036090DBE374E01C925C1A8F,SHA256=1996EED795E81987E9D84517739AE790572114692F00CFE7DD50E3717B0BF939,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:04.032{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85B6953D091F5104E520E12FAFCBBCCE,SHA256=93A636E455488F7778A9AE725991262CE670B68BB27D201F2E68743238D31B2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899893Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:04.515{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6753B9136328387BDB97C2491FB231A,SHA256=309B07892E317F4C32F3F1F518723A69FBE0692C817E5B62630892071D6C2B02,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007992697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:03.308{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62262-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007992696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:05.391{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=270146FCBBE11B60356327988A81D909,SHA256=29EDF2179DDAE976D09BC27F4DA345079193C2B431EFD43E3050279C25F47E0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899894Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:05.578{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=726C105F20AC3B428E38806E9ECF3EAE,SHA256=FFF78DF6DEBDB2A60379841A00C47BEFD26224202250A29FD88F9E64F32D8BBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:06.766{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=968104AE8E4A0924E2D5D72C401716AE,SHA256=31A5ED38B8C51E7D525CA9DE2F414D22A5A352606255AECEEAFEBBD548809BC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007992698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:06.079{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9DF2182C04E8566A4274BA62A54AEEF,SHA256=0770C10F5FC48DCAF4A02792145C5E92E5FC91DFEBFB86855729F715942D21AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899895Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:06.640{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C6336DC50F8F757E5C4B85C4FF610A,SHA256=0733BF71271D6CF321D1F8220DD3E7160C1DD2180DB36DE3AF4E7DCE0BEEFE0A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899897Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:07.642{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=555195563D2175EA792B750DC4CD85CA,SHA256=A5D855C6D1B4CCCBC55F5E1828518407B97960724F705F03CB414615977D40AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899896Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:05.435{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51994-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007992700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:08.128{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9DE6A66BA62420572C8AB755AC0EEF8,SHA256=D93B2DEAC943A225C09A6DBDDB0D00200970F866E76F80DE1A80D705AF99A4CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899898Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:08.658{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B3EC82CC761CDA8F0F11C7B7E61EF21,SHA256=DDCD3652165419F6D7E78353645F6D0029BCD18EE2EC8B2F4F9BB9D88C5A6F3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:09.487{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86A70F2B2D1A93D369B7FBE1D5532C1E,SHA256=EEDB6F469380C9CC59D1005C684DB0FB2DAD11AB6E3457C9FCE634EC753C7908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899899Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:09.689{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D194429D6F4CA59556FC739E441CF7,SHA256=37AA0A8AB74370217A4A27C3AF854FFFA41ED04EC5627246B341ED6DB4A876B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:10.863{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53A8DD5204BDDC642CAF8B47E3E52C7F,SHA256=62DE420392C91EB612B09A27F3EED3DDD50415D201B86D5A359B88376E142B5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007992702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:08.389{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62263-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899900Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:10.689{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB064E0DA415D0E4647AE57F104C33B,SHA256=FE65D92747326054374C71F823C3B5E71DB1DC596FE8249BA0FCCCF33E1ADE41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899901Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:11.705{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D49AFD1934E56ADE93EEF186982D3D,SHA256=9655CB72CA1B063BAD7198704EE28E265C8BC33FA56441FFB51CC02375EA0FB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007992706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:10.780{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62264-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007992705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:10.780{3BF36828-DD1D-60DD-2F00-00000000C801}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62264-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x80000000000000007992704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:12.222{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9585E899AD2140183DB4684A43D0C80F,SHA256=BB0BBC413FD98682C112D4BBB006897D906306696621E18731F3B1FA40BC7289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899902Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:12.720{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72DFC7009807AE22D19052F48B079F7D,SHA256=7A46F12ACA96BACEBBFD8446A0F119D2740F05911F98D24F23A14970E2A5F46D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:13.581{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0E6131707426D0D69C4F6A5BF601FBB,SHA256=3ABE4184918062D0EE6B151380C1BC66F3B0726D5D0DB1263571F5FFEE2472F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899903Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:13.752{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=761C511E84841121C010F1CFDAFB9412,SHA256=7B83DFFDE0C7BD39901FE35E1C95B68EA38A25157C475594E0DF51C854B372D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:14.956{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF1616D420DB8578472BDF6ED3ABE6C4,SHA256=AC802BBE2F2E800E983E8C0E7F4885EA5D1C823A82238F5C717B2A5713C1D725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007992708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:14.956{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D684D43253C2B3938BCAEDBC486F95,SHA256=FE762F046987CB701D38AEFDBA5322D47BE76CB385D1A6C0BF351539D275C97A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899905Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:14.814{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B7D41BAD129DFFC4B57B4ED071100E9,SHA256=FFFEE02C7506FF8A974541E811E78D44641B2998D25E3B344E26326C5E1D11B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899904Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:11.467{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51995-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000007992747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:15.847{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015899906Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:15.830{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6AF3218395C5852DE737CC03C67DAD9,SHA256=BD76C4EC42D2979A5716A29867521E9200414DCE5B09850CF93FA9513776D567,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:16.331{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7941A08AAAAA1F9576E03665E302823F,SHA256=8E8FA80E9F85C781978645419475060F7CE31B53F65A11D6D7ED9603B9AE0760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899907Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:16.861{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39DB0A1F6D1F3407F90DEC78A9C4F708,SHA256=09E60538C1C87F7F322F8003D929B750784AAEEF1DCA9E87EEC045A9E8B26980,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007992852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.816{3BF36828-E961-60DD-2102-00000000C801}36203580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007992851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.816{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007992850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.816{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007992849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.706{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007992848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.706{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007992847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.706{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007992846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.706{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007992845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.706{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007992844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.706{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007992843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.706{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007992842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.706{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007992841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.706{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007992840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007992839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007992838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007992837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007992836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007992835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007992834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007992833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007992832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007992831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007992830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007992829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007992828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007992827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007992826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007992825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 23542300x80000000000000007992824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16F8B923CDEB9F37BB316594DCF80102,SHA256=5F21048674C84CF4E35BF865570EF9864DE8228D6EDBD4F7ED38615B1A040BB8,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007992823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007992822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007992821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007992820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007992819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007992818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007992817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007992816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007992815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007992814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007992813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007992812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007992811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007992810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007992809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007992808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x80000000000000007992807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007992802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.691{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007992801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.693{3BF36828-E961-60DD-2102-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007992800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.128{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007992799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.128{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007992798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.128{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x80000000000000007992797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:14.264{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62265-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000007992796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.019{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007992795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.019{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007992794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.019{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007992793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.019{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007992792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.019{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007992791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.019{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007992790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.019{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007992789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.019{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007992788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007992787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007992786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007992785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007992784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007992783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007992782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007992781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007992780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007992779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007992778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007992777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007992776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007992775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007992774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007992773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007992772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007992771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007992770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007992769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007992768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007992767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007992766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007992765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007992764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007992763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007992762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000007992761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007992760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007992759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007992758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007992757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007992756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x80000000000000007992755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007992750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.003{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007992749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:17.005{3BF36828-E961-60DD-2002-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899908Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:17.892{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC671D4C9E5423C742F8482285EBC1F0,SHA256=EF3BD16544539B98B5304A06BDF009A0A251A6D2C4E5133235410A1338765D04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899910Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:18.908{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=792FC7B11F2EDEFC3D0A18595BB66979,SHA256=BDB3A136E9DE3350CC1F9E68B06471F50E1404DFB45F94C859E49F8BDD45B425,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899909Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:16.546{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51996-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899911Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:19.939{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04A377065A878732E05D36693EB01842,SHA256=60734083DC1B5C9982A99D760053D27E1243CCF2D53CF78DC225A7CD4249EF87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899912Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:20.955{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F19D7F72952063F48716FBBAB5549DDD,SHA256=530824F5CEDBE67C480844C0D79AF3A17077F2F24555BF67B56BBE90D97D6171,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007992854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:21.409{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09307A1852C6C77F796574D77126C25E,SHA256=1E69F3B418806A640A4A83717500D5BF195D0A649BE75D079F4D29A89B81E33B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007992853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:21.019{3BF36828-DD1D-60DD-3000-00000000C801}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007992856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:22.113{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F47B10C64B36BF833A6EF6303D22E79,SHA256=CBE48E5234487765D7FE874670C5655DF891B143AD948EE2FC0E2655625C5550,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007992855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:19.280{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62266-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899913Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:22.017{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2B4BDA50980E9257A36E8CB75475BC8,SHA256=0C8037B2338FED75C0423A6F8F11182B710F0865A5D3F67D1603C9CB8DB5A2D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007992913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.706{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007992912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.706{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007992911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.691{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007992910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.581{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007992909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.581{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007992908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.581{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007992907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.581{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007992906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.581{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007992905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.581{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007992904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.581{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007992903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.581{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007992902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007992901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007992900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007992899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007992898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007992897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007992896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007992895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007992894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007992893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007992892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007992891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007992890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007992889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007992888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007992887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007992886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007992885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007992884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007992883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007992882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007992881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007992880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007992879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007992878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007992877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007992876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007992875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007992874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007992873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007992872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007992871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x80000000000000007992870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007992869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007992868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007992867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007992866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x80000000000000007992865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007992860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007992859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.568{3BF36828-E967-60DD-2202-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007992858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:23.566{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DD2D21F22AE747477E71E907C89CFCC,SHA256=FC07A4A93BC4A71316AD84427FA55072A0410CA5BE85D900145F4417011A8EA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007992857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:20.202{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62267-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015899914Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:23.033{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D02ED8486F28845E871833ACEF501A6A,SHA256=95047581920FFE995F23EFD4250E957000DB1180689F725969F82D93A19DCC1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007992944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007992943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007992942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007992941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007992940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007992939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007992938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007992937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007992936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007992935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007992934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007992933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007992932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007992931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007992930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007992929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007992928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007992927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007992926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007992925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007992924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007992923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007992922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007992921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007992916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007992915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.989{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007992914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.300{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F982191B8B2747A65941D38F2A0B5F,SHA256=6295423E6D6041360E406FFD49678B53A3DC3F5E1E3A69C811AD1FE03052A5A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015899916Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:22.389{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51997-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899915Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:24.048{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88382CCEC09D913C90B9D06E0D4C7381,SHA256=6C49BFD890B84852EA676DE4BC397AC36D38536EB416E900E1C11669B5D7F4E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007993018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.800{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007993017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.800{3BF36828-E969-60DD-2402-00000000C801}33044956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007993016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.784{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007993015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.784{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007993014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.675{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007993013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.675{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007993012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.675{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007993011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.675{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007993010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.675{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007993009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.675{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007993008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.675{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007993007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.675{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007993006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007993005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007993004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007993003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007993002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007993001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007993000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007992999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007992998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007992997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007992996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 23542300x80000000000000007992995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9344683DACDAE5236A5C145DC91C5EFE,SHA256=C2FE8513DCE836EDC993C55C460167720CB6C6306262309F00D8A7F71A9600F4,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007992994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007992993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007992992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007992991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007992990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007992989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007992988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007992987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007992986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007992985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007992984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007992983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007992982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007992981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007992980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007992979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007992978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007992977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007992976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007992975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007992974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007992973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x80000000000000007992972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007992968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007992967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.659{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007992966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.661{3BF36828-E969-60DD-2402-00000000C801}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007992965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.113{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007992964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.113{3BF36828-E968-60DD-2302-00000000C801}32884940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007992963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.113{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007992962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.113{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007992961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.003{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007992960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.003{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007992959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.003{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007992958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.003{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007992957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.003{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007992956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:25.003{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007992955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007992954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007992953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007992952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007992951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007992950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007992949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007992948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007992947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007992946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007992945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.988{3BF36828-E968-60DD-2302-00000000C801}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 23542300x800000000000000015899917Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:25.064{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F08026CE8505F3545F55CAC507423E3F,SHA256=FA5873DB4EA09305827CC4CAB3B7F9DCF7671F8EC6B63E333B6D47B11D3D40FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007993069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.472{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007993068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.472{3BF36828-E96A-60DD-2502-00000000C801}19442820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007993067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.472{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007993066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.472{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007993065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.363{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007993064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.363{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007993063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.363{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007993062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.363{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007993061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.363{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007993060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.363{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007993059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.363{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007993058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.363{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007993057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007993056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007993055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007993054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007993053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007993052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007993051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007993050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007993049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007993048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007993047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007993045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007993044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007993043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007993042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007993041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007993040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007993039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007993038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007993037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007993036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007993035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007993034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007993033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007993032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007993031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007993030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007993029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007993028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007993027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007993025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007993020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.347{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007993019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:26.349{3BF36828-E96A-60DD-2502-00000000C801}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899918Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:26.111{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B03EDE5F5F0982AC9EF3DA6E8C9589DD,SHA256=272C95255DAB94E9A0DAB3FBC58DCDDB49B8C8BFD8B364D95E09D0B7E7646F00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.770{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F558AEBBD28A83899EA8841977B81AB6,SHA256=2153F9EC6B466A290556A2C53B8C2236F8B966894DB592DB3FA7B765C6CAA201,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007993123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.770{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29199A972A6ED7C835556273BBAF8A0C,SHA256=A3659A236F056233EC79EC6A66DC0FCC4D0375DCECCFDC7199CD9516A5BD1D09,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007993122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:24.373{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62268-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000007993121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.238{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007993120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.222{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007993119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.222{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007993118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.113{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007993117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.113{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007993116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.113{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007993115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.113{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007993114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.113{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007993113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.113{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007993112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.113{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x80000000000000007993111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A93055846EEF4B07A43C0687DE0CB2,SHA256=34B775B9F3BDA472C1DEAB04175297604F4BDB1FC2279EEA8CE02A1654B0E7F7,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007993110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007993109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007993108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007993107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007993106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007993105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007993104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007993103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000007993102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007993101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007993100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007993099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007993098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007993097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007993096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007993095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007993094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007993093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007993092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007993091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007993090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007993089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007993088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007993087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007993086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007993085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007993084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007993083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007993081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007993080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007993079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007993078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x80000000000000007993076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007993071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.097{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007993070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:27.099{3BF36828-E96B-60DD-2602-00000000C801}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899919Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:27.142{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5BB5206FA994BD6F16BEB54F5FEA2BF,SHA256=8B4D726EAE5DAD17E8BF417181628139770D97C35F384570ABED7B35B1F08D35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:28.504{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0E191C217E9EEAD6AC8CA87DE516DEE,SHA256=A7648F1817D253A080EDBC806A1D7F90B1216FDCFAA20D4C6A8FA7CAF641AC00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899921Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:28.549{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899920Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:28.158{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B87D77177257B4CC661280C122CFC348,SHA256=005B7BA8D4D851AA7BE80712D8DF67237E2F7FCAB8A19D7480C2181F04017A30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:29.926{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E2B9A1C744493CC605FCF0826EC910C,SHA256=3671E877ADD6B0204FB63AD5F92149F8A24C26F5775622A8AD907D473D318313,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015899924Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:27.843{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51999-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x800000000000000015899923Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:27.499{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local51998-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899922Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:29.190{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EF907892BE1B44B220B9EFFC7A8D8FA,SHA256=259B7BCB1DFFCB892F89CB943B671D0175F6494F31BECE278E4D433F1CD59849,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899925Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:30.205{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD8B8C93F952D89B12B04128CCB95863,SHA256=701CA5598E4A3AAADA24E0A10BDF080DB79B11329F64652C111785947648C945,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:31.410{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5870E2FC26D3E2FF59980242BB269EA8,SHA256=8CCCEB008EE7866E4BF303C91B455D6043ED9BC052BA11A0EC6E758EE74D2607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899926Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:31.221{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=362EBEF4E4AD34CE595D61531F19F8BF,SHA256=4728C61BE914FE06FBF0641595339DF48A7427A34DCD0CA1D9083AF071FF94EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:32.770{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32C23465C6EBD3C748196B4369CA6A8C,SHA256=7088C078F7B2482BCE4452136172F5AF11C64BBC58B7A7FB2956582C41B4A231,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007993128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:29.374{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62269-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899927Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:32.252{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E570F9814A57EEA79173A610B7E6EE,SHA256=6697C006C176EABFDABFE707A774454D41AFED595E23C8FDDD60DE844CD3FE58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899928Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:33.268{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C6BD6F94AA45CB2709073842ACB8F6C,SHA256=7A0F786668686B9E1402C98BB68DFD9112DE09A6709C2A8AF5DC7E912A97118B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:34.145{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6519D1E8B89E30D4F39DA3CE0439A04,SHA256=C2E03ECB4C0DD4AD2001C1E041C4AD59B28457579A1944F535CE2C6E5DCDCE1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899929Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:34.283{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CD2225D7FDC519E4330594D68BDB3DB,SHA256=D6C9C41EA5B314F1138FDBAFD6F49D56CDC6D0F04B0055A4773B491F40563A3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:35.504{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F6C3FCC64C81AC25A052C24C3258573,SHA256=CCDD6DA2B0FA102A6D2583DCCEB0C7D7011F01F183E6F909F4A60E350F0E983C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899931Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:35.315{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE33D5E7C8F423EDD09C1200ACEE421D,SHA256=6A1FBCDDCD32D172297B27E86B3BA8327E1BC16C7F22ABAE9778E4F751A6AFE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899930Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:32.531{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52000-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007993191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.879{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DE852978F2BD63103D5E26C83033D79,SHA256=B1F6495EE02013E76E3A347088103F43D0E32435F66637ACA8679CD78A706CA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007993190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:34.374{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62270-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000007993189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.567{3BF36828-E8AB-60DD-0602-00000000C801}38122080C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.567{3BF36828-E8AB-60DD-0602-00000000C801}38122080C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007993187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.504{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\GlobCollationHost.dll10.0.14393.4169 (rs1_release.210107-1130)GlobCollationHostMicrosoft® Windows® Operating SystemMicrosoft CorporationGlobCollationHost.dllMD5=FE882365D86F6E44EFC87EC7B5254390,SHA256=8198641FDE94EE03D9CA57919602D9B1AD260073857067E2B299F0CF2550936C,IMPHASH=C03E8C7B87D41F339890F29E06DD9229trueMicrosoft WindowsValid 734700x80000000000000007993186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.473{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\Windows.Cortana.OneCore.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.Cortana.OneCoreMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Cortana.OneCore.dllMD5=7ADD0831943D133FCD4600D4EC369B58,SHA256=4F0636A1B47873C77B07A72C7B927A5DBCC9F55F3D7DC5CF7C8C8D792F851991,IMPHASH=1068EC212E64E1DBA938E5F82BA8EEB5trueMicrosoft WindowsValid 10341000x80000000000000007993185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.473{3BF36828-E8AA-60DD-FC01-00000000C801}34883928C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.473{3BF36828-E8AA-60DD-FC01-00000000C801}34883928C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.473{3BF36828-E8AB-60DD-0602-00000000C801}38123588C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.473{3BF36828-E8AB-60DD-0602-00000000C801}38123588C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.473{3BF36828-E8AA-60DD-FC01-00000000C801}34883928C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.473{3BF36828-E8AA-60DD-FC01-00000000C801}34883928C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000007993179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.457{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000007993178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.457{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000007993177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.457{3BF36828-E8AB-60DD-0602-00000000C801}38122080C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.457{3BF36828-DD1D-60DD-2B00-00000000C801}12805096C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000007993175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.457{3BF36828-DD1D-60DD-2B00-00000000C801}12805096C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x80000000000000007993174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0D-60DD-0D00-00000000C801}9245088C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0D-60DD-0D00-00000000C801}9245088C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0D-60DD-0D00-00000000C801}924956C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0D-60DD-0D00-00000000C801}924956C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0D-60DD-0D00-00000000C801}924956C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0D-60DD-0D00-00000000C801}924956C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0D-60DD-0D00-00000000C801}9245088C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0D-60DD-0D00-00000000C801}9245088C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0D-60DD-0D00-00000000C801}924956C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0D-60DD-0D00-00000000C801}924956C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0D-60DD-0D00-00000000C801}9245088C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0D-60DD-0D00-00000000C801}9245088C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0D-60DD-0D00-00000000C801}9245088C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0D-60DD-0D00-00000000C801}9245088C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0D-60DD-0D00-00000000C801}9245088C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0D-60DD-0D00-00000000C801}9245088C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0D-60DD-0D00-00000000C801}9245088C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007993153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0D-60DD-0D00-00000000C801}9245088C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007993151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0C-60DD-0C00-00000000C801}864616C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007993150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0D-60DD-0D00-00000000C801}9245088C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0D-60DD-0D00-00000000C801}9245088C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0D-60DD-0D00-00000000C801}9245088C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0D-60DD-0D00-00000000C801}9245088C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0D-60DD-0D00-00000000C801}9245088C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0D-60DD-0D00-00000000C801}9245088C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-E8AB-60DD-0602-00000000C801}38122412C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007993138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007993137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-E8AB-60DD-0602-00000000C801}38125032C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007993135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-E8AB-60DD-0602-00000000C801}38125032C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37528|C:\Windows\System32\TwinUI.dll+37448|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+3fb990|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 10341000x80000000000000007993132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:36.442{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37590|C:\Windows\System32\TwinUI.dll+37435|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+3fb990|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 23542300x800000000000000015899932Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:36.330{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5235FB80F242976292130886E65F5977,SHA256=2828DD3638672D9B7A112CCFCB344957981A71B1913A9A3416EEF292A4FDDBD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007993314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.988{3BF36828-E8AA-60DD-FC01-00000000C801}3488872C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.988{3BF36828-E8AA-60DD-FC01-00000000C801}3488872C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.988{3BF36828-E8AA-60DD-FC01-00000000C801}34883928C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.988{3BF36828-E8AA-60DD-FC01-00000000C801}34883928C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 734700x80000000000000007993310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.988{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AE,IMPHASH=52045AC79DBE663F06AB7C9717524D40trueMicrosoft WindowsValid 734700x80000000000000007993309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.988{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\thumbcache.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Thumbnail CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationthumbcache.dllMD5=C146766884A92B154F2EB38463F2263D,SHA256=48C5CC7760187EDB140A904D3AC5FD24F740973CDBA07962047859F84E7BEB9C,IMPHASH=428FE673E24F7848BECF2BA2271A839AtrueMicrosoft WindowsValid 10341000x80000000000000007993308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.988{3BF36828-E8AA-60DD-FC01-00000000C801}3488392C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.onecore.dll+1602f|C:\Windows\system32\windows.cortana.onecore.dll+16127|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000007993307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.988{3BF36828-E8AA-60DD-FC01-00000000C801}3488392C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.onecore.dll+1717e|C:\Windows\system32\windows.cortana.onecore.dll+15fb7|C:\Windows\system32\windows.cortana.onecore.dll+16127|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06 734700x80000000000000007993306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.988{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x80000000000000007993305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.973{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\StructuredQuery.dll7.0.14393.4169 (rs1_release.210107-1130)Structured QueryWindows® SearchMicrosoft CorporationStructuredQuery.dllMD5=330E02FA330C93B93B477AA2F88C8A3A,SHA256=958A6977B820D04D94C8FD85C23CC62D77F0498BB59A648744E8F43704FD7F26,IMPHASH=870079407DAAD548AC5B3F417EEBB243trueMicrosoft WindowsValid 10341000x80000000000000007993304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.957{3BF36828-E8AA-60DD-FC01-00000000C801}34883928C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.957{3BF36828-E8AA-60DD-FC01-00000000C801}34883928C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 734700x80000000000000007993302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.926{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\WinTypes.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=AAA321C636929D23C58B5A78EDA04B61,SHA256=E33D62CC132B8D790B3604DBE227CD2A270E30C1B71881BB4E3B00732CE56E5C,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 10341000x80000000000000007993301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.910{3BF36828-E8AA-60DD-FC01-00000000C801}34883928C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.910{3BF36828-E8AA-60DD-FC01-00000000C801}34883928C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 734700x80000000000000007993299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.910{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\MSWB7.dll10.0.14393.2791 (rs1_release.190205-1511)MSWB7 DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSWB7.dllMD5=5C7C3EBF7A50560DE37B750F3BB0F2B2,SHA256=227474B4306F6FA4F4A7EC5DAE2E91104BA6A156E31BDAD4B82D2E5426A53729,IMPHASH=A39738A99E764D3F4E439E2498C99B04trueMicrosoft WindowsValid 734700x80000000000000007993298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.895{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.ProxyStub.dll10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)"CortanaApi.ProxyStub.DYNLINK"Microsoft® Windows® Operating SystemMicrosoft Corporation"CortanaApi.ProxyStub.DYNLINK"MD5=D52CF10DE320A1C64B0A342159A2F86E,SHA256=AD9848E33DA0B44F41BBF55236DE92F87F7EDBF67542C1E97B1C7BD897A64F0E,IMPHASH=667008095DFCABB963146EDE86598EEFtrueMicrosoft WindowsValid 23542300x80000000000000007993297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.895{3BF36828-E8AC-60DD-0802-00000000C801}3600ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\2OZ2JCZ6\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007993296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.879{3BF36828-E975-60DD-2802-00000000C801}3792C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007993295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.879{3BF36828-E975-60DD-2802-00000000C801}3792C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007993294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.879{3BF36828-E975-60DD-2802-00000000C801}3792C:\Windows\System32\dllhost.exeC:\Windows\System32\indexeddbserver.dll10.0.14393.4169 (rs1_release.210107-1130)IndexedDb hostMicrosoft® Windows® Operating SystemMicrosoft Corporationindexeddb.DLLMD5=C137C0628B2EE5F6703F2D9770E4F128,SHA256=862C55A237F523E0919348D42CDB57D204555C05FA84E32D77ACB4778F6AEC94,IMPHASH=F2930DCF8E4EC6905600CC18B9275F1FtrueMicrosoft WindowsValid 10341000x80000000000000007993293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.879{3BF36828-DD0D-60DD-0F00-00000000C801}3442016C:\Windows\system32\svchost.exe{3BF36828-E975-60DD-2802-00000000C801}3792C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.879{3BF36828-DD0D-60DD-0F00-00000000C801}3441364C:\Windows\system32\svchost.exe{3BF36828-E975-60DD-2802-00000000C801}3792C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007993291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.879{3BF36828-E975-60DD-2802-00000000C801}3792C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x80000000000000007993290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.879{3BF36828-E975-60DD-2802-00000000C801}3792C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x80000000000000007993289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.879{3BF36828-E975-60DD-2802-00000000C801}3792C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007993288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.879{3BF36828-E975-60DD-2802-00000000C801}3792C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007993287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.879{3BF36828-E975-60DD-2802-00000000C801}3792C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.879{3BF36828-E975-60DD-2802-00000000C801}3792C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007993285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.879{3BF36828-E975-60DD-2802-00000000C801}3792C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x80000000000000007993284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.879{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E975-60DD-2802-00000000C801}3792C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007993283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.879{3BF36828-E975-60DD-2802-00000000C801}3792C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x80000000000000007993282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.879{3BF36828-E975-60DD-2802-00000000C801}3792C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007993281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.879{3BF36828-E975-60DD-2802-00000000C801}3792C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007993280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.879{3BF36828-E975-60DD-2802-00000000C801}3792C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007993279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.863{3BF36828-E975-60DD-2802-00000000C801}3792C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007993278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.863{3BF36828-E975-60DD-2802-00000000C801}3792C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007993277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.863{3BF36828-E975-60DD-2802-00000000C801}3792C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x80000000000000007993276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.863{3BF36828-E8A8-60DD-F501-00000000C801}2576416C:\Windows\system32\csrss.exe{3BF36828-E975-60DD-2802-00000000C801}3792C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000007993275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.863{3BF36828-E975-60DD-2802-00000000C801}3792C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007993274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.863{3BF36828-E975-60DD-2802-00000000C801}3792C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007993273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.863{3BF36828-E975-60DD-2802-00000000C801}3792C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.863{3BF36828-E975-60DD-2802-00000000C801}3792C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88trueMicrosoft WindowsValid 10341000x80000000000000007993271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.863{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E975-60DD-2802-00000000C801}3792C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007993270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.863{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E975-60DD-2802-00000000C801}3792C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007993269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.863{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\indexeddbserver.dll10.0.14393.4169 (rs1_release.210107-1130)IndexedDb hostMicrosoft® Windows® Operating SystemMicrosoft Corporationindexeddb.DLLMD5=C137C0628B2EE5F6703F2D9770E4F128,SHA256=862C55A237F523E0919348D42CDB57D204555C05FA84E32D77ACB4778F6AEC94,IMPHASH=F2930DCF8E4EC6905600CC18B9275F1FtrueMicrosoft WindowsValid 734700x80000000000000007993268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.848{3BF36828-E975-60DD-2702-00000000C801}1596C:\Windows\System32\dllhost.exeC:\Windows\System32\indexeddbserver.dll10.0.14393.4169 (rs1_release.210107-1130)IndexedDb hostMicrosoft® Windows® Operating SystemMicrosoft Corporationindexeddb.DLLMD5=C137C0628B2EE5F6703F2D9770E4F128,SHA256=862C55A237F523E0919348D42CDB57D204555C05FA84E32D77ACB4778F6AEC94,IMPHASH=F2930DCF8E4EC6905600CC18B9275F1FtrueMicrosoft WindowsValid 734700x80000000000000007993267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.863{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\StateRepository.Core.dll10.0.14393.4169 (rs1_release.210107-1130)StateRepository CoreMicrosoft® Windows® Operating SystemMicrosoft CorporationStateRepository.Core.dllMD5=94299201E0B602E4692F61C5A46E32D9,SHA256=D343410FB20D88B74BF661CACADBBD913034D02410A826A84D60B2B66A95A862,IMPHASH=53CA7FAF1CEDFB0EC8CCD763B974D4A1trueMicrosoft WindowsValid 734700x80000000000000007993266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.863{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\Windows.StateRepository.dll10.0.14393.4169 (rs1_release.210107-1130)Windows StateRepository API ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.StateRepository.dllMD5=8F4457905D80A520C684CA48F807C268,SHA256=623299C57C3148EB7B8EE0FE22F2E8A4C7A41712A87D43074E56643BEB84C06A,IMPHASH=A28EA9ED587BD4511849B7BB44021022trueMicrosoft WindowsValid 734700x80000000000000007993265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.848{3BF36828-E975-60DD-2702-00000000C801}1596C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x80000000000000007993264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.848{3BF36828-E975-60DD-2702-00000000C801}1596C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007993263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.848{3BF36828-E975-60DD-2702-00000000C801}1596C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007993262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.832{3BF36828-E975-60DD-2702-00000000C801}1596C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 10341000x80000000000000007993261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.848{3BF36828-DD0D-60DD-0F00-00000000C801}3442016C:\Windows\system32\svchost.exe{3BF36828-E975-60DD-2702-00000000C801}1596C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.848{3BF36828-DD0D-60DD-0F00-00000000C801}3441364C:\Windows\system32\svchost.exe{3BF36828-E975-60DD-2702-00000000C801}1596C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007993259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.832{3BF36828-E975-60DD-2702-00000000C801}1596C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x80000000000000007993258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.832{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E975-60DD-2702-00000000C801}1596C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007993257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.832{3BF36828-E975-60DD-2702-00000000C801}1596C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x80000000000000007993256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.832{3BF36828-E975-60DD-2702-00000000C801}1596C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007993255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.832{3BF36828-E975-60DD-2702-00000000C801}1596C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007993254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.832{3BF36828-E975-60DD-2702-00000000C801}1596C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.832{3BF36828-E975-60DD-2702-00000000C801}1596C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007993252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.832{3BF36828-E975-60DD-2702-00000000C801}1596C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x80000000000000007993251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.832{3BF36828-E975-60DD-2702-00000000C801}1596C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007993250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.832{3BF36828-E975-60DD-2702-00000000C801}1596C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007993249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.832{3BF36828-E975-60DD-2702-00000000C801}1596C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007993248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.832{3BF36828-E975-60DD-2702-00000000C801}1596C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007993247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.832{3BF36828-E975-60DD-2702-00000000C801}1596C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x80000000000000007993246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.817{3BF36828-E8A8-60DD-F501-00000000C801}25762064C:\Windows\system32\csrss.exe{3BF36828-E975-60DD-2702-00000000C801}1596C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x80000000000000007993245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.817{3BF36828-E8AC-60DD-0802-00000000C801}3600ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\2OZ2JCZ6\microsoft.windows[1].xmlMD5=C14B43EADD41EB8ED00E85CF7B973B82,SHA256=A58CE60C6D2077C62C0252193BAC0247460951E043168CBAFA81B8974D83A242,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007993244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.817{3BF36828-E975-60DD-2702-00000000C801}1596C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007993243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.817{3BF36828-E975-60DD-2702-00000000C801}1596C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007993242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.817{3BF36828-E975-60DD-2702-00000000C801}1596C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.817{3BF36828-E975-60DD-2702-00000000C801}1596C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88trueMicrosoft WindowsValid 10341000x80000000000000007993240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.817{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E975-60DD-2702-00000000C801}1596C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007993239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.817{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E975-60DD-2702-00000000C801}1596C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.817{3BF36828-E8AA-60DD-FC01-00000000C801}34883928C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.817{3BF36828-E8AA-60DD-FC01-00000000C801}34883928C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 734700x80000000000000007993236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.801{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\WinMetadata\Windows.UI.winmd10.0.10011.16384Windows SDK metadataWindows SDKMicrosoft Corporation-MD5=AA343736DAADD1B736E5BBBD3EC5E5CC,SHA256=BA3CC83A7A4E9BA542558909CDF413FB6B172ECC020A9DBFEFC49F9BB17795E9,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.785{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\WordBreakers.dll10.0.14393.4169 (rs1_release.210107-1130)"WordBreakers.DYNLINK"Microsoft® Windows® Operating SystemMicrosoft Corporation"WordBreakers.DYNLINK"MD5=368F155F9A0E6CE5EC3DA5185C8A3C33,SHA256=88CA175C923EFE37AD605D7E3286CFB39EB192B960B5CF87150EE086D2A0199E,IMPHASH=5349BBBB48AF8F2DDF1F58A89D8F7CE2trueMicrosoft WindowsValid 734700x80000000000000007993234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.754{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\WinMetadata\Windows.Web.winmd10.0.10011.16384Windows SDK metadataWindows SDKMicrosoft Corporation-MD5=05A0DA19CDE8CD78408BCD0699E4DA41,SHA256=EFD64061CF00FFBED5640BF91C49FA989BECF7BF64DC945B380F53CC7ECBF59D,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.645{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\WinMetadata\Windows.System.winmd10.0.10011.16384Windows SDK metadataWindows SDKMicrosoft Corporation-MD5=068414C1DA971123D1E9929366E84587,SHA256=0CECAFDF74C26D56E1C2830A2DAF93F03F97A92963CAFAA7195BAA26A1C3F923,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.645{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.SPA.winmd-----MD5=C493EDC306102A26A24DC9DA32FE22F3,SHA256=98BC3BCD6BA112108AFD2A0BE59F890B5DB25AB6852EB5C1BDCC71BE9C1752A2,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.645{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\WinMetadata\Windows.Storage.winmd10.0.10011.16384Windows SDK metadataWindows SDKMicrosoft Corporation-MD5=01B5B26ECF5D00AA5EFF8F338DB9D3BF,SHA256=7F2E662062C97A685B26DAB91C1E77715CC68241343367B4F9A86FA23B46D9C2,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.645{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Tips.winmd-----MD5=3C80560C30AD2BE58A49A785BFCC0F7C,SHA256=1CE0A7BDD02EB08984D50A0D9D343A49E4C12F77F59494896E3A1667D70F6037,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.645{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\WinMetadata\Windows.Security.winmd10.0.10011.16384Windows SDK metadataWindows SDKMicrosoft Corporation-MD5=28D0A50E6F86302879C69F355C457E03,SHA256=3985EE10F6B61B867D891B3113FE660D38FC66494F895CF04EB24828E505A31E,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.629{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\WinMetadata\Windows.Foundation.winmd10.0.10011.16384Windows SDK metadataWindows SDKMicrosoft Corporation-MD5=BFD9E7042DFFEB1514B269AD48EC2EFA,SHA256=AA96696B3BF450DF4473A2DAD21ACF2BCE5673BF02361B3AFBB302D851A3BDEF,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.629{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Search.winmd-----MD5=7A52B044D782D6D124FBCFC0CEBC33A0,SHA256=8B88AF514367319CE7642A0BFFC3775F147ECEC79B4BFB5A7A5E9403C1A99089,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.629{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Internal.Search.winmd-----MD5=11841D432F863B175E48F514DCC39523,SHA256=807938C694BEF66ACCB7C0333C00D07AD4A0FF88A3097A06F578371DD5334EBC,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.629{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\rometadata.dll4.6.1586.0 built by: NETFXREL2Microsoft MetaData LibraryMicrosoft® .NET FrameworkMicrosoft CorporationRoMetadata.dllMD5=1D59FBE55DAA1BA99EF01B2F7DFBBA06,SHA256=9DBC58AF89D741C05979B727FA5EF914674A05FE97562E6CD714AE8DAF49160E,IMPHASH=11B8DBACAC595313B3296107F62648E7trueMicrosoft CorporationValid 734700x80000000000000007993224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.551{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x80000000000000007993223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.551{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1,IMPHASH=77951C1B66390D48C5FC7B47D7C8668AtrueMicrosoft WindowsValid 734700x80000000000000007993222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.535{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 734700x80000000000000007993221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.535{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355,IMPHASH=FE994282C73F9AB11AC9B6E37AC26B47trueMicrosoft WindowsValid 734700x80000000000000007993220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.504{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\msimtf.dll10.0.14393.0 (rs1_release.160715-1616)Active IMM Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSIMTF.DLLMD5=BAAE2C3547EB0A28AAD2C1237732BAE1,SHA256=314348DB567C72EE00B14C8094818AA3278037DB0490487509FB38B0E2222509,IMPHASH=6F06E66C95EF188EDA6C1FD34DD15FB4trueMicrosoft WindowsValid 734700x80000000000000007993219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.488{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\srpapi.dll10.0.14393.4350 (rs1_release.210407-2154)SRP APIs DllMicrosoft® Windows® Operating SystemMicrosoft Corporationsrpapi.dllMD5=6EE744B7052F6DE1C9870F9C97FDB42F,SHA256=6FE549AAB3A751D32F4FE7A1492BE85B4FD4AD718A9561CBAB6E82B97BCFDD40,IMPHASH=8C07B81A4B319D612B954B42DF3C1D74trueMicrosoft WindowsValid 734700x80000000000000007993218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.473{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\Chakra.dll11.00.14393.4169 (rs1_release.210107-1130)Microsoft ® Chakra (Private)Internet ExplorerMicrosoft Corporationchakra.dllMD5=460B16F474BC84721FACC52FDAF03A78,SHA256=2A6D2F3989DD1B62DF39667D98B068DD550C38D7DB9007869795372C50B6785B,IMPHASH=56CBAE8EB3D7528A31E2436C1748945DtrueMicrosoft WindowsValid 734700x80000000000000007993217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.395{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046,IMPHASH=563B6F147961D943E0261E05EAD94B56trueMicrosoft WindowsValid 734700x80000000000000007993216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.379{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\edgehtml.dll11.00.14393.4283 (rs1_release.210303-1802)Microsoft Edge Web PlatformMicrosoft Edge Web PlatformMicrosoft CorporationEDGEHTML.DLLMD5=C7E5ED81EEE568646AAE29122A8E5986,SHA256=24B8F6966E5EA1CDDAFD6532E5685F4BE918329B054991DB190BF0A65E80D3E9,IMPHASH=8F13197AAE4ADB5C15C6FC595AC9BB37trueMicrosoft WindowsValid 10341000x80000000000000007993215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.598{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000007993214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.598{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 734700x80000000000000007993213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.567{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007993212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.551{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\profext.dll10.0.14393.4283 (rs1_release.210303-1802)profextMicrosoft® Windows® Operating SystemMicrosoft Corporationprofext.dllMD5=3490D2800E46CE473BEFAF747D85F2D0,SHA256=ABE7C0822FB81A5B609F4F02070BCE6CE8CF51CAE49503F23B5AB92C811EF961,IMPHASH=82DBC5DF78A34C977A610912E2732607trueMicrosoft WindowsValid 23542300x80000000000000007993211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.551{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C2B54C0246DF206D01E86135814620F,SHA256=617BB32DBCA9454DBEC6332D97BE39C7F73A6CCA6ECDC5F7C41606CAAACFC335,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007993210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.551{3BF36828-E8AA-60DD-0002-00000000C801}2136C:\Windows\System32\taskhostw.exeC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FE,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 23542300x80000000000000007993209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.551{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F82E44C21B07515AC2EB0A019C555DA2,SHA256=EDA5E0AB97AFFBA01B739550ABCFF1B0087830765849C2F8FA940741F4C3ACFC,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007993208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.551{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\profext.dll10.0.14393.4283 (rs1_release.210303-1802)profextMicrosoft® Windows® Operating SystemMicrosoft Corporationprofext.dllMD5=3490D2800E46CE473BEFAF747D85F2D0,SHA256=ABE7C0822FB81A5B609F4F02070BCE6CE8CF51CAE49503F23B5AB92C811EF961,IMPHASH=82DBC5DF78A34C977A610912E2732607trueMicrosoft WindowsValid 734700x80000000000000007993207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.551{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FE,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x80000000000000007993206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.535{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\wininet.dll11.00.14393.4402 (rs1_release.210426-1725)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=27D3D531D0EA9B3EE7F54C4DE5A15946,SHA256=05254BA3332E887C9F97D42406A7C2CEE4DF405ECAF39391968FD472CC4F1F89,IMPHASH=B3ABC7D59C2B1ACAEECA63C53B0AAC4BtrueMicrosoft WindowsValid 734700x80000000000000007993205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.160{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\OneCoreCommonProxyStub.dll10.0.14393.2395 (rs1_release_inmarket.180714-1932)OneCore Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreCommonProxyStub.dllMD5=02CEC1566FB0709923FF7A9FEC254D96,SHA256=81BED60AEB79C489E9F79996A3F0AB626E6CA247EBB656B6B9897C47A39F6AFB,IMPHASH=69A8B7E9F373278F52FE45A83CE3A380trueMicrosoft WindowsValid 734700x80000000000000007993204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.160{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\execmodelproxy.dll10.0.14393.0 (rs1_release.160715-1616)ExecModelProxyMicrosoft® Windows® Operating SystemMicrosoft CorporationExecModelProxy.dllMD5=A0251547D09C624F5E0FDFED5F14C834,SHA256=A6E167A77AC44A73323B8FF65E1FA2BAEDC0E092255F81FE041B35D40970FF90,IMPHASH=B1BB7A0B17604581DFBD9AE821306153trueMicrosoft WindowsValid 734700x80000000000000007993203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.160{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 10341000x80000000000000007993202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.145{3BF36828-E8AA-60DD-FC01-00000000C801}34883928C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000007993201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.145{3BF36828-E8AA-60DD-FC01-00000000C801}34883928C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 734700x80000000000000007993200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.145{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207,IMPHASH=24160898971C9C6FED5AE429E3AAD3DAtrueMicrosoft WindowsValid 734700x80000000000000007993199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.129{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\CoreMessaging.dll10.0.14393.3930Microsoft CoreMessaging DllMicrosoft® Windows® Operating SystemMicrosoft CorporationCoreMessaging.dllMD5=3D9D2F367587B2E93F2868F52D4ACBDD,SHA256=B4B27A7D4B9B685B6015D090B6A3E0E578AFBDE8D6C06A8F2E606A439D5A4BA4,IMPHASH=92CA7117B99353AC45978E95EEB5A46DtrueMicrosoft WindowsValid 10341000x80000000000000007993198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.114{3BF36828-E8AB-60DD-0602-00000000C801}38123588C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.114{3BF36828-E8AB-60DD-0602-00000000C801}38123588C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.114{3BF36828-E8AB-60DD-0602-00000000C801}3812516C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.114{3BF36828-E8AB-60DD-0602-00000000C801}3812516C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007993194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.114{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\ExecModelClient.dll10.0.14393.4169 (rs1_release.210107-1130)ExecModelClientMicrosoft® Windows® Operating SystemMicrosoft CorporationExecModelClient.dllMD5=178BCB2B937C94CA144C326FD678A322,SHA256=932D0710FD612EDBE2D0433ABE294AD17D23CB8D43DE7F4CD8E01C58D279C1CE,IMPHASH=B1099E1B098B6F4C7DC6D071206DFC70trueMicrosoft WindowsValid 10341000x80000000000000007993193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.114{3BF36828-E8AB-60DD-0602-00000000C801}38123588C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.114{3BF36828-E8AB-60DD-0602-00000000C801}38123588C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015899933Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:37.346{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9AE823D2C9557510214A42802836EF2,SHA256=E8DD499D011EE9DE9ECB7B72B5E315D37A58BB1B482885D454C929034BBE2AC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007993423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.954{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\Windows.Storage.Search.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.Storage.SearchMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.Search.dllMD5=17D1040EDBA639BD1C2F7577D1070498,SHA256=E3F2CF21782C856A639525E84FF3C413C7CD091297C9A248CBC24541E2D76584,IMPHASH=DE60A0BFF7F6069AA615B149D44D1D3FtrueMicrosoft WindowsValid 734700x80000000000000007993422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.938{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\MSWB7.dll10.0.14393.2791 (rs1_release.190205-1511)MSWB7 DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSWB7.dllMD5=5C7C3EBF7A50560DE37B750F3BB0F2B2,SHA256=227474B4306F6FA4F4A7EC5DAE2E91104BA6A156E31BDAD4B82D2E5426A53729,IMPHASH=A39738A99E764D3F4E439E2498C99B04trueMicrosoft WindowsValid 734700x80000000000000007993421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.907{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\OneCoreUAPCommonProxyStub.dll10.0.14393.3808 (rs1_release.200707-2105)OneCoreUAP Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreUAPCommonProxyStub.dllMD5=9F8EF1431E82015CD1918582A770DB35,SHA256=FC2073DCE9AC41DBF338FAFE85F2429D6D3812573D2192C7A906C1D46E0AB4FA,IMPHASH=D919FF32201FBB7C5B3EF498D589EAE4trueMicrosoft WindowsValid 734700x80000000000000007993420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.923{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\StructuredQuery.dll7.0.14393.4169 (rs1_release.210107-1130)Structured QueryWindows® SearchMicrosoft CorporationStructuredQuery.dllMD5=330E02FA330C93B93B477AA2F88C8A3A,SHA256=958A6977B820D04D94C8FD85C23CC62D77F0498BB59A648744E8F43704FD7F26,IMPHASH=870079407DAAD548AC5B3F417EEBB243trueMicrosoft WindowsValid 10341000x80000000000000007993419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.907{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.907{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.907{3BF36828-E8AA-60DD-FC01-00000000C801}34881396C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+36f20|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+32f80|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+22534|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\SharedStartModel.dll+77f37|C:\Windows\System32\SharedStartModel.dll+b2d9d|C:\Windows\System32\SharedStartModel.dll+b2a24|C:\Windows\System32\SharedStartModel.dll+b2fab|C:\Windows\system32\windows.cortana.Desktop.dll+a274|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f 734700x80000000000000007993416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.907{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\ntoskrnl.exe10.0.14393.4402 (rs1_release.210426-1725)NT Kernel & SystemMicrosoft® Windows® Operating SystemMicrosoft Corporationntkrnlmp.exeMD5=5F5F07C5B9FF9BA2AF5894C5F42C4E99,SHA256=A370B2F2D46AF560C24B3F7FE170D6EFCA8CF94B06F89185B3AFF61E77E591A6,IMPHASH=28C22BC918D86AD8BBCB5C7E356B4701trueMicrosoft WindowsValid 734700x80000000000000007993415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.907{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\Windows.Internal.Shell.Broker.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Shell BrokerMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Internal.Shell.Broker.dllMD5=6F20F13032F6BD2E2DA4DCF7FC3B7D10,SHA256=3A8786CCB21AD1AE7301943E891336084CDF42EC906B549766D5D85FF033237E,IMPHASH=9E3ABA0295C7548C4F5020B4E453434CtrueMicrosoft WindowsValid 734700x80000000000000007993414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.892{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 10341000x80000000000000007993413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.892{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.892{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.892{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.892{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007993409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.892{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\policymanager.dll10.0.14393.4169 (rs1_release.210107-1130)Policy Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPolicyManager.dllMD5=58677E3FBF7D29109E8EB578062F1C81,SHA256=F751521EBC10CC1F0BC6AAB2715B9169439A014F178A7D6880080567D880C103,IMPHASH=E1BC13C6E7766D0332C0420A512C2799trueMicrosoft WindowsValid 10341000x80000000000000007993408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.892{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.892{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007993406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.892{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\SharedStartModel.dll10.0.14393.4169 (rs1_release.210107-1130)Shared Start Model InProc ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationSharedStartModel.dllMD5=1ED630477E6FEFE3C7722FDBA69D905F,SHA256=96846D692A680859F229E9E8BA01A04DB81808871F61E1D1674919DBCF333287,IMPHASH=D57A6858D1CBDF14F3CE8801F944C825trueMicrosoft WindowsValid 10341000x80000000000000007993405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.892{3BF36828-E8AA-60DD-FC01-00000000C801}34881600C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+cdc7|C:\Windows\system32\windows.cortana.Desktop.dll+aedd|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.892{3BF36828-E8AA-60DD-FC01-00000000C801}34881600C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+ae11|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.360{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007993402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.360{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007993401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.360{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007993400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.360{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007993399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.360{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007993398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.360{3BF36828-E8AA-60DD-FD01-00000000C801}32804024C:\Windows\system32\sihost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.298{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007993396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.298{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007993395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.298{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007993394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.298{3BF36828-DD1D-60DD-2B00-00000000C801}12805096C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000007993393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.298{3BF36828-DD1D-60DD-2B00-00000000C801}12805096C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 23542300x80000000000000007993392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.235{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E3A859F9FA806712BAFF2B9EB56C059,SHA256=7F16779F4C07866E9F81E2CBE07CEF4F0B12B779CC8C1A3A7A75E0EFB63DB221,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007993391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.020{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x80000000000000007993390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.004{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_a13eaee9d8fd5c07\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=C89866876D676708892DEEA04A886CDA,SHA256=6C498F9AFFC75DFAADDACB9D1D4248862622FB2B06F0A410BA303A26FEADFF2B,IMPHASH=49FE37530A5C395ADDDAFC2730B16DDDtrueMicrosoft WindowsValid 10341000x80000000000000007993389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.110{3BF36828-E8AA-60DD-FC01-00000000C801}34883928C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007993388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.110{3BF36828-E8AA-60DD-FC01-00000000C801}34881396C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007993387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.110{3BF36828-E8AA-60DD-FC01-00000000C801}34883928C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x80000000000000007993386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.110{3BF36828-E8AA-60DD-FC01-00000000C801}34881396C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x80000000000000007993385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.110{3BF36828-E8AA-60DD-FC01-00000000C801}34881396C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007993384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.110{3BF36828-E8AA-60DD-FC01-00000000C801}34881396C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x80000000000000007993383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.110{3BF36828-E8AA-60DD-FC01-00000000C801}34881600C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.110{3BF36828-E8AA-60DD-FC01-00000000C801}34881600C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.110{3BF36828-E8AA-60DD-FC01-00000000C801}34881600C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.110{3BF36828-E8AA-60DD-FC01-00000000C801}34881600C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.110{3BF36828-E8AA-60DD-FC01-00000000C801}34884412C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.110{3BF36828-E8AA-60DD-FC01-00000000C801}34884412C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 734700x80000000000000007993377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.004{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\msdart.dll10.0.14393.0 (rs1_release.160715-1616)OLE DB Runtime RoutinesMicrosoft® Windows® Operating SystemMicrosoft Corporationmsdart.dllMD5=2D8AE33BC433EFE81FB9F5B126B4A0A9,SHA256=5BC4D64A18925CFB39C898E954BC24473BCCFDA11E31A8FD7E01F8F888BD6B76,IMPHASH=115EB10C88C8AF50DD182CFA7531BA0CtrueMicrosoft WindowsValid 10341000x80000000000000007993376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.110{3BF36828-E8AA-60DD-FC01-00000000C801}34881396C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007993375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.110{3BF36828-E8AA-60DD-FC01-00000000C801}34881396C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x80000000000000007993374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.110{3BF36828-E8AA-60DD-FC01-00000000C801}34884412C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.110{3BF36828-E8AA-60DD-FC01-00000000C801}34884412C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 734700x80000000000000007993372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.988{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Program Files\Common Files\System\Ole DB\oledb32.dll10.0.14393.4169 (rs1_release.210107-1130)OLE DB Core ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationoledb32.dllMD5=1C9084B11668B0E8E83D7887BC2BDA33,SHA256=A2FF5347549ECCC9804F180C34D465AFA55027B3B0F614A2666934FA2963F436,IMPHASH=A09B8303CAADE20549BE153591374A00trueMicrosoft WindowsValid 10341000x80000000000000007993371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.095{3BF36828-E8AA-60DD-FC01-00000000C801}34882820C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.095{3BF36828-E8AA-60DD-FC01-00000000C801}34881600C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.095{3BF36828-E8AA-60DD-FC01-00000000C801}34882820C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000007993368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.095{3BF36828-E8AA-60DD-FC01-00000000C801}34884412C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.095{3BF36828-E8AA-60DD-FC01-00000000C801}34881600C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000007993366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.095{3BF36828-E8AA-60DD-FC01-00000000C801}34884412C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000007993365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.095{3BF36828-E8AA-60DD-FC01-00000000C801}34884412C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.095{3BF36828-E8AA-60DD-FC01-00000000C801}34884412C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 734700x80000000000000007993363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.988{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117,IMPHASH=BF1AF19CCBABA6D54178C43BE36CD985trueMicrosoft WindowsValid 734700x80000000000000007993362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.973{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\BCP47Langs.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)BCP47 Language ClassesMicrosoft® Windows® Operating SystemMicrosoft CorporationBCP47Lang.dllMD5=F688C2B9DD2EB56C3B0312B6380338AA,SHA256=B22DB210486D3B5F4EEB17900C5E7AA0EEFEDBB068A0C4858EFE9F8018C34628,IMPHASH=31EA1856BC7597303D8126028BBFDFB8trueMicrosoft WindowsValid 734700x80000000000000007993361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.973{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\Windows.UI.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Runtime UI Foundation DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.UI.dllMD5=FEC31833E8D13591BAECE59B8E39F53C,SHA256=424BAEA0DC8EF34305A881F9B36F22E8CFECA403A0D03B61782D69535387A401,IMPHASH=B073DE28C43175420FE754415439CCEAtrueMicrosoft WindowsValid 734700x80000000000000007993360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.973{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=5541A4A7FB64063F8AFB192ABD4DAE70,SHA256=AABF2E6C392F29B77F076BF705976B68B3100138BC63060335BD154B8417754D,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 10341000x80000000000000007993359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.049{3BF36828-E8AA-60DD-FC01-00000000C801}34881396C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007993358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.049{3BF36828-E8AA-60DD-FC01-00000000C801}34881396C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x80000000000000007993357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.049{3BF36828-E8AA-60DD-FC01-00000000C801}34881396C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007993356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.049{3BF36828-E8AA-60DD-FC01-00000000C801}34881396C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x80000000000000007993355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.045{3BF36828-E8AA-60DD-FC01-00000000C801}34881600C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.045{3BF36828-E8AA-60DD-FC01-00000000C801}34881600C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.045{3BF36828-E8AA-60DD-FC01-00000000C801}34884412C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.045{3BF36828-E8AA-60DD-FC01-00000000C801}34884412C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.037{3BF36828-E8AA-60DD-FC01-00000000C801}34881396C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007993350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.037{3BF36828-E8AA-60DD-FC01-00000000C801}34881396C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x80000000000000007993349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.037{3BF36828-E8AA-60DD-FC01-00000000C801}34881396C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007993348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.037{3BF36828-E8AA-60DD-FC01-00000000C801}34881396C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x80000000000000007993347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.033{3BF36828-E8AA-60DD-FC01-00000000C801}34884412C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.033{3BF36828-E8AA-60DD-FC01-00000000C801}34884412C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.033{3BF36828-E8AA-60DD-FC01-00000000C801}34881600C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.033{3BF36828-E8AA-60DD-FC01-00000000C801}34881600C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 734700x80000000000000007993343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.973{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\MrmCoreR.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows MRMMicrosoft® Windows® Operating SystemMicrosoft CorporationMrmCore.dllMD5=D730B5700BEB4A7E6E4244684356739C,SHA256=26083BEB490E48F5711D69A0E597B7A4CC6FB4B31EDCD535A0FF0DFBE4E6F8DD,IMPHASH=462A9FA6F44F25C68798F197AC8EC9D9trueMicrosoft WindowsValid 10341000x80000000000000007993342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.020{3BF36828-E8AA-60DD-FC01-00000000C801}34883928C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007993341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.020{3BF36828-E8AA-60DD-FC01-00000000C801}34883928C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x80000000000000007993340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.020{3BF36828-E8AA-60DD-FC01-00000000C801}34883928C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007993339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.020{3BF36828-E8AA-60DD-FC01-00000000C801}34881396C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+f0036|C:\Windows\System32\windows.storage.dll+f1998|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000007993338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.020{3BF36828-E8AA-60DD-FC01-00000000C801}34883928C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x80000000000000007993337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.020{3BF36828-E8AA-60DD-FC01-00000000C801}34881396C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d191|C:\Windows\System32\windows.storage.dll+5d030|C:\Windows\System32\windows.storage.dll+6c014|C:\Windows\System32\windows.storage.dll+178c6b|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x80000000000000007993336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.020{3BF36828-E8AA-60DD-FC01-00000000C801}34884412C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.020{3BF36828-E8AA-60DD-FC01-00000000C801}34883888C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.020{3BF36828-E8AA-60DD-FC01-00000000C801}34884412C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000007993333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.020{3BF36828-E8AA-60DD-FC01-00000000C801}34883888C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000007993332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.020{3BF36828-E8AA-60DD-FC01-00000000C801}34882820C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.020{3BF36828-E8AA-60DD-FC01-00000000C801}34882820C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000007993330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.020{3BF36828-E8AA-60DD-FC01-00000000C801}34881600C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.020{3BF36828-E8AA-60DD-FC01-00000000C801}34881600C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 734700x80000000000000007993328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.020{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FE,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x80000000000000007993327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.957{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\tquery.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Tripoli QueryWindows® SearchMicrosoft CorporationTQUERY.dllMD5=B9DF37B30C068E2B5A23D72BAC55FAD0,SHA256=37DD06EEF20425B3EDD1ADECC701DEE052F16CA16DE14F62057612460E5D5F21,IMPHASH=B2D5EB79B3B6EAFD7FE4708FBD5F0703trueMicrosoft WindowsValid 734700x80000000000000007993326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.004{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\twinui.dll10.0.14393.4169 (rs1_release.210107-1130)TWINUIMicrosoft® Windows® Operating SystemMicrosoft CorporationTWINUI.dllMD5=7F1F1B63C8AA1D6EA1057589ECF0AC12,SHA256=4E20B33E2E951359C9FEBD1EE66A2B24E5BAACB0C6CFF5E3543CAAB00C99AA91,IMPHASH=B98A56301D4EF217B14C24D92F13B2B4trueMicrosoft WindowsValid 734700x80000000000000007993325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.004{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\WindowsCodecs.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B791899A46FD151559658F4F86C3C6F5,SHA256=E559B36A3CC2261C16916F2D49FA351DC4E21E5EC581AC43547ABA16F70CDA7E,IMPHASH=945C5ACF3D7F6243AD6374B1152227D8trueMicrosoft WindowsValid 10341000x80000000000000007993324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.004{3BF36828-E8AA-60DD-FC01-00000000C801}3488872C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.004{3BF36828-E8AA-60DD-FC01-00000000C801}3488872C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000007993322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.004{3BF36828-E8AA-60DD-FC01-00000000C801}34883768C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.004{3BF36828-E8AA-60DD-FC01-00000000C801}34883768C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000007993320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.004{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.004{3BF36828-E8AB-60DD-0602-00000000C801}38123588C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:38.004{3BF36828-E8AB-60DD-0602-00000000C801}38123588C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007993317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.988{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30E,IMPHASH=8F811B713271A0FEFA798FB95D523A8BtrueMicrosoft WindowsValid 10341000x80000000000000007993316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.988{3BF36828-E8AA-60DD-FC01-00000000C801}34883768C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:37.988{3BF36828-E8AA-60DD-FC01-00000000C801}34883768C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x800000000000000015899934Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:38.362{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE4CA8720D2E45D00DDA01D55EAF4A82,SHA256=AA11ACE33615A130CDEE2314250899B5083F4E90A1055CCDC7039F84554FD900,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007993496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.970{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\odbc32.dll10.0.14393.3471 (rs1_release_1.191218-1729)ODBC Driver ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationodbc32.dllMD5=7BE20E672645485F6A3B2E34389344BA,SHA256=B6F6E06CACEE09FB6CC0ACF874477FC9094EA4C14A07FF59B228BDD23C7BF02A,IMPHASH=B6FE10FF835FBB8612CC749787B5472EtrueMicrosoft WindowsValid 734700x80000000000000007993495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.985{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x80000000000000007993494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.954{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\mfc42u.dll6.06.8063.0MFCDLL Shared Library - Retail VersionMicrosoft (R) Visual C++Microsoft CorporationMFC42.DLLMD5=DD361EE0A665F41783E02CEA20285E61,SHA256=457BF44CC1BE99FD74983178AC34E83AEC2ED73DFEE9F9FC7F5F501AD8A6D03B,IMPHASH=5407FE666C5FCACC20F969C8CE05D993trueMicrosoft WindowsValid 734700x80000000000000007993493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.985{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 734700x80000000000000007993492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.970{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x80000000000000007993491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.970{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\dui70.dll10.0.14393.4169 (rs1_release.210107-1130)Windows DirectUI EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationDUI70.DLLMD5=C3DC010AC7F5880CC7BE626566FC4130,SHA256=3ED6E9D0AF769B0BFBE94DFF4CC07A94A81271133FBB60C9EB02676C92FFB87E,IMPHASH=E76D3161885DD9D13E8514AFC7BF3853trueMicrosoft WindowsValid 734700x80000000000000007993490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.970{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x80000000000000007993489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.970{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30E,IMPHASH=8F811B713271A0FEFA798FB95D523A8BtrueMicrosoft WindowsValid 734700x80000000000000007993488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.970{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007993487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.938{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\mmcbase.dll10.0.14393.4169 (rs1_release.210107-1130)MMC Base DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmmcbase.dllMD5=1C8D01FA2F46DA43580F66690E59F942,SHA256=24E48F93B6050D9DA4D1B93D07FCEA7F15AF8142BA8F4B8CFEF19FA670EB5B4E,IMPHASH=3A0957E0E673BE892DE6FEF53C3A2C7BtrueMicrosoft WindowsValid 734700x80000000000000007993486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.954{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x80000000000000007993485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.954{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007993484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.954{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007993483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.923{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\mmc.exe10.0.14393.4169 (rs1_release.210107-1130)Microsoft Management ConsoleMicrosoft® Windows® Operating SystemMicrosoft Corporationmmc.exeMD5=495BFF5AE1B52661212BB65F1CFDA718,SHA256=A08EC9D2F811726BDCD71F7C5B40CDB543D092C11811A45180E569FE3F62124D,IMPHASH=ED5A55DAB5A02F29D6EE7E0015F91A9FtrueMicrosoft WindowsValid 734700x80000000000000007993482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.938{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\duser.dll10.0.14393.0 (rs1_release.160715-1616)Windows DirectUser EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationDUser.DLLMD5=42D5E1F8641E9DCEE0D8751F6F7A8961,SHA256=9168110EF404BF179888AF4A0F02B2817F020BFB16351778F2DDD6915C92F190,IMPHASH=9134DC493583245CFD7E3B68926C19D0trueMicrosoft WindowsValid 734700x80000000000000007993481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.938{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x80000000000000007993480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.938{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x80000000000000007993479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.938{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007993478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.938{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007993477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.938{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007993476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.938{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007993475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.938{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007993474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.938{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007993473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.923{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x80000000000000007993472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.923{3BF36828-E8AA-60DD-FC01-00000000C801}34885044C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+3c78a8|C:\Windows\System32\windows.storage.dll+3cbe7f|C:\Windows\System32\SHELL32.dll+208fc2|C:\Windows\System32\SHELL32.dll+8fdb0|C:\Windows\System32\SHELL32.dll+d0c66|C:\Windows\System32\SHELL32.dll+b6e2e|C:\Windows\System32\windows.storage.dll+2d1a2|C:\Windows\System32\windows.storage.dll+2ce99|C:\Windows\System32\windows.storage.dll+2cd6f|C:\Windows\System32\SHELL32.dll+d0c66|C:\Windows\System32\SHELL32.dll+b6e2e|C:\Windows\System32\SHELL32.dll+1721db|C:\Windows\System32\SHELL32.dll+4095f0|C:\Windows\System32\windows.storage.dll+fd065|C:\Windows\System32\windows.storage.dll+fcda5|C:\Windows\System32\windows.storage.dll+fc9ac|C:\Windows\System32\windows.storage.dll+1664ae|C:\Windows\System32\windows.storage.dll+1661a2|C:\Windows\System32\SHELL32.dll+90ee1|C:\Windows\System32\SHELL32.dll+8fd46 10341000x80000000000000007993471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.923{3BF36828-E8AA-60DD-FC01-00000000C801}34885044C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c788c|C:\Windows\System32\windows.storage.dll+3cbe7f|C:\Windows\System32\SHELL32.dll+208fc2|C:\Windows\System32\SHELL32.dll+8fdb0|C:\Windows\System32\SHELL32.dll+d0c66|C:\Windows\System32\SHELL32.dll+b6e2e|C:\Windows\System32\windows.storage.dll+2d1a2|C:\Windows\System32\windows.storage.dll+2ce99|C:\Windows\System32\windows.storage.dll+2cd6f|C:\Windows\System32\SHELL32.dll+d0c66|C:\Windows\System32\SHELL32.dll+b6e2e|C:\Windows\System32\SHELL32.dll+1721db|C:\Windows\System32\SHELL32.dll+4095f0|C:\Windows\System32\windows.storage.dll+fd065|C:\Windows\System32\windows.storage.dll+fcda5|C:\Windows\System32\windows.storage.dll+fc9ac 10341000x80000000000000007993470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.923{3BF36828-E8AA-60DD-FC01-00000000C801}34885044C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c788c|C:\Windows\System32\windows.storage.dll+3cbe7f|C:\Windows\System32\SHELL32.dll+208fc2|C:\Windows\System32\SHELL32.dll+8fdb0|C:\Windows\System32\SHELL32.dll+d0c66|C:\Windows\System32\SHELL32.dll+b6e2e|C:\Windows\System32\windows.storage.dll+2d1a2|C:\Windows\System32\windows.storage.dll+2ce99|C:\Windows\System32\windows.storage.dll+2cd6f|C:\Windows\System32\SHELL32.dll+d0c66|C:\Windows\System32\SHELL32.dll+b6e2e|C:\Windows\System32\SHELL32.dll+1721db|C:\Windows\System32\SHELL32.dll+4095f0|C:\Windows\System32\windows.storage.dll+fd065|C:\Windows\System32\windows.storage.dll+fcda5|C:\Windows\System32\windows.storage.dll+fc9ac|C:\Windows\System32\windows.storage.dll+1664ae 734700x80000000000000007993469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.923{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.923{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007993467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.923{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007993466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.923{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007993465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.923{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007993464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.923{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007993463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.923{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040,IMPHASH=1B1E4C2174456B1956B734A2FE9401EFtrueMicrosoft WindowsValid 734700x80000000000000007993462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.923{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.923{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\pcacli.dll10.0.14393.0 (rs1_release.160715-1616)Program Compatibility Assistant Client ModuleMicrosoft® Windows® Operating SystemMicrosoft Corporation-MD5=012B8825E588F74439D55115ED1FE5AD,SHA256=D646D30D2538E47FEFB9C1D5B323476B2701822FF6BCC91155C40BAA6710975E,IMPHASH=EE6E7AA59AC992D3937C01196243C8D7trueMicrosoft WindowsValid 734700x80000000000000007993460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.923{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6,IMPHASH=46ADE2B067E724C7163A0B1902FEF225trueMicrosoft WindowsValid 10341000x80000000000000007993459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.907{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.907{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.907{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.907{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007993455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.898{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exe10.0.14393.4169 (rs1_release.210107-1130)Microsoft Management ConsoleMicrosoft® Windows® Operating SystemMicrosoft Corporationmmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\services.msc" C:\Users\Administrator\ATTACKRANGE\Administrator{3BF36828-E8A9-60DD-F846-180000000000}0x1846f82HighMD5=495BFF5AE1B52661212BB65F1CFDA718,SHA256=A08EC9D2F811726BDCD71F7C5B40CDB543D092C11811A45180E569FE3F62124D,IMPHASH=ED5A55DAB5A02F29D6EE7E0015F91A9F{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding 734700x80000000000000007993454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.876{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\urlmon.dll11.00.14393.4402 (rs1_release.210426-1725)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=3562767F9C1D8359A735D4F64A9733F5,SHA256=7E60D82C417779D316000AD376BE9BA2CD14728616F35289E34E47CC6839620B,IMPHASH=198DE5B70ABFFE7B73AD088D655B26D1trueMicrosoft WindowsValid 734700x80000000000000007993453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.876{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\synceng.dll10.0.14393.0 (rs1_release.160715-1616)Windows Briefcase EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationSYNCENG.DLLMD5=A683B60F1A5FAC27D1173F937403ED1B,SHA256=57450827A7F7D880F236F27A1D92654A3284842226539A26F311CFA736083571,IMPHASH=0A2DBAAA924DBD2D0A4335D1E0E9A7C9trueMicrosoft WindowsValid 734700x80000000000000007993452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.876{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\syncui.dll10.0.14393.2608 (rs1_release.181024-1742)Windows BriefcaseMicrosoft® Windows® Operating SystemMicrosoft CorporationSYNCUI.DLLMD5=D3CD7E690590A1AD564C832DFE1A1922,SHA256=F3CB2B362A0970B106D8B5F27F80D019931090D3ED579C72182163502BA212B7,IMPHASH=39745F2E08404A86C1D135E2AB69B2B1trueMicrosoft WindowsValid 734700x80000000000000007993451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.876{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=4CE9B67A187310E37E535FC4165E0933,SHA256=469B33A5DDAA93D28F66AE6D6956268F6F2F09F146734D00A931FBDD1D87DE42,IMPHASH=F3640F50846C35CCE7151F1E835AE727trueMicrosoft WindowsValid 734700x80000000000000007993450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.845{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\System32\Cortana.Persona.dll10.0.14393.4169 (rs1_release.210107-1130)Cortana.PersonaMicrosoft® Windows® Operating SystemMicrosoft CorporationCortana.Persona.dllMD5=C2700BE8F4B0B2FABE2197E30C854225,SHA256=2D0414C38ED278779C49E9151A68D03C8791457DA34B93846D38921274BC12E7,IMPHASH=22A0992389FD6A6A32421DFAD79D27DCtrueMicrosoft WindowsValid 734700x80000000000000007993449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.860{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007993448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.860{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=E996A5D4EA7754FF1B0411F0B1664603,SHA256=B2DA0AC549C551A2CAF0714EF3B344C33943292FB1FA9F2EEFA706B6FF18F1A2,IMPHASH=AC4154F2DB854AC5F42815BCE5C34155trueMicrosoft WindowsValid 734700x80000000000000007993447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.845{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\twext.dll10.0.14393.4283 (rs1_release.210303-1802)Previous Versions property pageMicrosoft® Windows® Operating SystemMicrosoft Corporationtwext.dllMD5=52DA27C0F880437C2E6DA97516D68EDD,SHA256=D90E5DE35E53C01F57BD201D483A6E03C77F76C7BC497C83F85003F937779425,IMPHASH=29C3BF5A3E76E3AC1BA5E32244E9991FtrueMicrosoft WindowsValid 10341000x80000000000000007993446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.860{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000007993445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.860{3BF36828-E8AB-60DD-0602-00000000C801}38121840C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 734700x80000000000000007993444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.845{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\cscui.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Client Side Caching UIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscui.dllMD5=1AFE7E2522633DF86B3160B378F1ABB9,SHA256=A1BFE3136924F3E5276F5C555F51770D9C50A321572DA4F677F2C0D8D5132A76,IMPHASH=7C4C5D26A164B555C68D5F02A417A150trueMicrosoft WindowsValid 10341000x80000000000000007993443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.845{3BF36828-E8AB-60DD-0602-00000000C801}3812884C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.845{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.845{3BF36828-E8AB-60DD-0602-00000000C801}3812884C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.845{3BF36828-E8AB-60DD-0602-00000000C801}38123588C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.845{3BF36828-E8AB-60DD-0602-00000000C801}38123588C:\Windows\Explorer.EXE{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.845{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.829{3BF36828-E8AA-60DD-0002-00000000C801}21363752C:\Windows\system32\taskhostw.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007993436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.829{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 10341000x80000000000000007993435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.798{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.798{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.798{3BF36828-E8AA-60DD-FC01-00000000C801}34881396C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+36f20|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+32f80|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+22534|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\SharedStartModel.dll+77f37|C:\Windows\System32\SharedStartModel.dll+b2d9d|C:\Windows\System32\SharedStartModel.dll+b2285|C:\Windows\System32\SharedStartModel.dll+b2801|C:\Windows\system32\windows.cortana.Desktop.dll+a80e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f 10341000x80000000000000007993432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.798{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.798{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.798{3BF36828-E8AA-60DD-FC01-00000000C801}34881600C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+cdc7|C:\Windows\system32\windows.cortana.Desktop.dll+aedd|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.798{3BF36828-E8AA-60DD-FC01-00000000C801}34881600C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+ae11|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.798{3BF36828-E8AA-60DD-FC01-00000000C801}34881600C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+2fc27|C:\Windows\system32\windows.cortana.Desktop.dll+2fb6b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.798{3BF36828-E8AA-60DD-FC01-00000000C801}34881600C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+2fb01|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.798{3BF36828-E8AA-60DD-FC01-00000000C801}34881600C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+cdc7|C:\Windows\system32\windows.cortana.Desktop.dll+aedd|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000007993425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.798{3BF36828-E8AA-60DD-FC01-00000000C801}34881600C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+ae11|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x80000000000000007993424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.689{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1836F96B4E8411DB09675D79572FCCE8,SHA256=C488090FFD4949B662CAA5184A6C751F35DC1A0CCE1213345600E832BE248A49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899935Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:39.377{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF3077E1AE6D37B65B2ED0C9905FD8B,SHA256=2FB91E9DB9C215654DE9E2727188A23618E09D79A6CAA6FF389F351ADAC6CC85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007993554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.985{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x80000000000000007993553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.985{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x80000000000000007993552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.985{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 23542300x80000000000000007993551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.970{3BF36828-E8AA-60DD-0002-00000000C801}2136ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\P7C6AEMC\views[1]MD5=A726593A8261930E4786375106FC6BFE,SHA256=E6BFDFBB9A0649EA9D38DE4255C355C581097E6A1035A54943260B22AD45F172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007993550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.970{3BF36828-E977-60DD-2902-00000000C801}4604ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\IG8VTJ96\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007993549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.970{3BF36828-E8AA-60DD-0002-00000000C801}2136ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\IG8VTJ96\views[1]MD5=BEE1758A485085BB8A121EB74BA7E96F,SHA256=EDCAD5B1CE8A304B70B8C9EA57D4AEAB740D979FFA59243B943011CB1BA4D57E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007993548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.970{3BF36828-E977-60DD-2902-00000000C801}4604ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\2FSZZH5K\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007993547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.892{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007993546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.892{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\msimtf.dll10.0.14393.0 (rs1_release.160715-1616)Active IMM Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSIMTF.DLLMD5=BAAE2C3547EB0A28AAD2C1237732BAE1,SHA256=314348DB567C72EE00B14C8094818AA3278037DB0490487509FB38B0E2222509,IMPHASH=6F06E66C95EF188EDA6C1FD34DD15FB4trueMicrosoft WindowsValid 734700x80000000000000007993545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.876{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=0DB1A588A248E852AD781AE14333A5C6,SHA256=6F9C36C2663B90439A1AEE74855C521FCBBDB8C7B88382C9464906F1691F65F6,IMPHASH=06716A63D3E6F97CB489B0D6810B3519trueMicrosoft WindowsValid 734700x80000000000000007993544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.657{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=D8CD8451D1E194230F18866AD6EFE5E7,SHA256=9977AA1287962035C24DF806DDA67F09FFE9BDF696DBA507D749C624AE1C178D,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x80000000000000007993543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.657{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4,IMPHASH=334E5331674424695F9872596E2677C7trueMicrosoft WindowsValid 734700x80000000000000007993542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.610{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\mshtml.dll11.00.14393.4402 (rs1_release.210426-1725)Microsoft (R) HTML ViewerInternet ExplorerMicrosoft CorporationMSHTML.DLLMD5=36632491A22ED506C92FC9057766779E,SHA256=A9B7E02AC9D99DC56A53E233E0B7466028322734F0F925B7B0114790B26416DB,IMPHASH=CBEE0B2314A44C19D7D26951C39F11F6trueMicrosoft WindowsValid 734700x80000000000000007993541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.751{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AE,IMPHASH=52045AC79DBE663F06AB7C9717524D40trueMicrosoft WindowsValid 734700x80000000000000007993540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.657{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x80000000000000007993539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.657{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x80000000000000007993538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.642{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\srpapi.dll10.0.14393.4350 (rs1_release.210407-2154)SRP APIs DllMicrosoft® Windows® Operating SystemMicrosoft Corporationsrpapi.dllMD5=6EE744B7052F6DE1C9870F9C97FDB42F,SHA256=6FE549AAB3A751D32F4FE7A1492BE85B4FD4AD718A9561CBAB6E82B97BCFDD40,IMPHASH=8C07B81A4B319D612B954B42DF3C1D74trueMicrosoft WindowsValid 23542300x80000000000000007993537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.626{3BF36828-E8AA-60DD-0002-00000000C801}2136ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\2FSZZH5K\views[1]MD5=A726593A8261930E4786375106FC6BFE,SHA256=E6BFDFBB9A0649EA9D38DE4255C355C581097E6A1035A54943260B22AD45F172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007993536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.626{3BF36828-E977-60DD-2902-00000000C801}4604ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\P7C6AEMC\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007993535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.626{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\wininet.dll11.00.14393.4402 (rs1_release.210426-1725)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=27D3D531D0EA9B3EE7F54C4DE5A15946,SHA256=05254BA3332E887C9F97D42406A7C2CEE4DF405ECAF39391968FD472CC4F1F89,IMPHASH=B3ABC7D59C2B1ACAEECA63C53B0AAC4BtrueMicrosoft WindowsValid 734700x80000000000000007993534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.610{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007993533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.423{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\ieframe.dll11.00.14393.4402 (rs1_release.210426-1725)Internet BrowserInternet ExplorerMicrosoft CorporationIEFRAME.DLLMD5=F264D54875955DFBCB5CDC0DAE1F33C7,SHA256=F528B5132F6F8C0F612E3643F23961AD0787A18DDF1E1074D9980F7F8253166F,IMPHASH=C88C7ABCCBE2D1CE9D711B5FBA02EA04trueMicrosoft WindowsValid 734700x80000000000000007993532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.423{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0,IMPHASH=FED414075FF3F23F21C898B1860393B4trueMicrosoft WindowsValid 734700x80000000000000007993531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.423{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007993530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.423{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007993529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.423{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\winhttp.dll10.0.14393.4169 (rs1_release.210107-1130)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=24995B62FFC2519B34A2145673BD275F,SHA256=BB7D4DE1BE6111462F65F999A8969DA04113F15A80D534A93D3CCC76A9FE1F22,IMPHASH=F1FC6BF3699C289EBAF914A7771E49CDtrueMicrosoft WindowsValid 23542300x80000000000000007993528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.423{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45ED217937F42920A3300E564EB75BB6,SHA256=F50A4F52BBF813D511330EA6D4918DA1302E1F1D95045AAEEE21AF89B5CF2935,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007993527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.423{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007993526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.423{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FE,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x80000000000000007993525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.173{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19,IMPHASH=52DACB9FFE8B422785C607A5B88982C7trueMicrosoft WindowsValid 734700x80000000000000007993524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.173{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\dxgi.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3C32D763740C83DB2C44DEA4B6F18C54,SHA256=ED26DBB9C3656767CA25887CDC3B45CF978AFC75E064FF5457A36C7A69E55223,IMPHASH=83736A76214A92F5C1B53248D0C22863trueMicrosoft WindowsValid 734700x80000000000000007993523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.188{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\atlthunk.dll10.0.14393.2969 (rs1_release.190503-1820)atlthunk.dllMicrosoft® Windows® Operating SystemMicrosoft Corporationatlthunk.dllMD5=BECA5E9FA540246333036919A57B7AEF,SHA256=62C24B274B38A88C83EE122CB30142C2135953C1A26582AD003512B238CB7FC9,IMPHASH=E86BAF1A171668A11110B8975A3BDE27trueMicrosoft WindowsValid 734700x80000000000000007993522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.188{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x80000000000000007993521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.173{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\d3d11.dll10.0.14393.4169 (rs1_release.210107-1130)Direct3D 11 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D11.dllMD5=EDCE49E7FDE3BD70DF70F05B8C47ACD4,SHA256=864EC8827EB03CDF7F2FC5E318283A7835E600CE548590C59E1DCF8BF8112089,IMPHASH=460DAE5CA92CB705C37D78BE630D6120trueMicrosoft WindowsValid 734700x80000000000000007993520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.173{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007993519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.157{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\dcomp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft DirectComposition LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdcomp.dllMD5=40873566DBFF13981CA1AE23AC281C5D,SHA256=E52C4619C837358454B969D31E2E14ACDEDABB384272D48C03E4F0AF9A2C2B6E,IMPHASH=9651C547656809410E78B358203C1A1DtrueMicrosoft WindowsValid 734700x80000000000000007993518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.157{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\DataExchange.dll10.0.14393.4169 (rs1_release.210107-1130)Data exchangeMicrosoft® Windows® Operating SystemMicrosoft CorporationDataExchange.dllMD5=23F499FA8F8E02A8090FB78E80617BDD,SHA256=08C2E505F3765D98379BB88DC8AD5555AB680A691054933FCA1A2CFCDFA42F51,IMPHASH=05056B92E29CCE6F97F9C6674AE080C0trueMicrosoft WindowsValid 734700x80000000000000007993517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.126{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8,IMPHASH=BC8DDE4D2412D48001350313FD2B7840trueMicrosoft WindowsValid 734700x80000000000000007993516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.142{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046,IMPHASH=563B6F147961D943E0261E05EAD94B56trueMicrosoft WindowsValid 734700x80000000000000007993515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.142{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_a13eaee9d8fd5c07\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=C89866876D676708892DEEA04A886CDA,SHA256=6C498F9AFFC75DFAADDACB9D1D4248862622FB2B06F0A410BA303A26FEADFF2B,IMPHASH=49FE37530A5C395ADDDAFC2730B16DDDtrueMicrosoft WindowsValid 734700x80000000000000007993514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.126{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\wbem\MMFUtil.dll10.0.14393.0 (rs1_release.160715-1616)WMI Snapin HelpersMicrosoft® Windows® Operating SystemMicrosoft CorporationMMFUtil.exeMD5=41FE3A9BE3069044C3389499D00D5DC5,SHA256=3AD1DC3B9F565CA4DADA9C09577B18E1E4B717DD4E9C1D799C236FAAE2FAC77A,IMPHASH=E0BDE8CB827909A795F0E95BB4C47E75trueMicrosoft WindowsValid 734700x80000000000000007993513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.142{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x80000000000000007993512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.110{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\wbem\ServDeps.dll10.0.14393.4169 (rs1_release.210107-1130)WMI SnapinsMicrosoft® Windows® Operating SystemMicrosoft CorporationServDeps.exeMD5=BB6D7D53A5DF6569A3182BD974421D1D,SHA256=002276FF6421C9A5B5AF4A452823979B0722E3F8040B5AD72FF35BC9CA4E64D7,IMPHASH=D023E66A86A2986825E2F69599D9255EtrueMicrosoft WindowsValid 734700x80000000000000007993511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.126{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\oleacc.dll7.2.14393.4169 (rs1_release.210107-1130)Active Accessibility Core ComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEACC.DLLMD5=1B04659F0A22BFE9142B6AD36467ACEA,SHA256=67BC7C19D71FB98A7B5882B0F2BFC8F2E4491B4ACBE23EE545D54FFCAEC808E9,IMPHASH=427F18493D540CBF4092BD07A97BE51FtrueMicrosoft WindowsValid 734700x80000000000000007993510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.110{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\atl.dll3.05.2284ATL Module for Windows XP (Unicode)Microsoft (R) Visual C++Microsoft CorporationATL.DLLMD5=C1B73181019C1E1F28F4161B5F198B7F,SHA256=C3678504437D23910C18D3680B05B4E819A2229BDD0E1E0567186C70D814560D,IMPHASH=5500EF6AAEED0FAA2DE0F3B65E67DE20trueMicrosoft WindowsValid 734700x80000000000000007993509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.126{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x80000000000000007993508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.110{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x80000000000000007993507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.095{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\filemgmt.dll10.0.14393.4169 (rs1_release.210107-1130)Services and Shared FoldersMicrosoft® Windows® Operating SystemMicrosoft Corporationfilemgmt.dllMD5=ED09564CB149B1B3E7B6539C701EFACB,SHA256=0182C80246F1135A0D064A0C8BE2D6099DE0A89EAF1A6942C0C4CA7B1BA5B63C,IMPHASH=549C582E988CC310033DC7C89B0CFD96trueMicrosoft WindowsValid 734700x80000000000000007993506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.079{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\mmcndmgr.dll10.0.14393.4169 (rs1_release.210107-1130)MMC Node Manager DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmmcndmgr.dllMD5=DDDF9C3B3B4CCFAAD35BA49B0864608F,SHA256=A8EE05699A2CE04D63D078C33A397ABE8D90AE6BC5F0156230620615B13A2F8B,IMPHASH=51AD9533DC3E1E0CFCFEECD129A51944trueMicrosoft WindowsValid 734700x80000000000000007993505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.095{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117,IMPHASH=BF1AF19CCBABA6D54178C43BE36CD985trueMicrosoft WindowsValid 734700x80000000000000007993504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.079{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\msxml6.dll6.30.14393.4402MSXML 6.0Microsoft XML Core ServicesMicrosoft CorporationMSXML6.dllMD5=B180CFB17D7039CAC46371B8CA857F22,SHA256=C62664A4AA96626864D394EC99F5562DDC59C1CF4DF57AF8E699079F16A85695,IMPHASH=A74F148CA887740D0E045C70ACC762EBtrueMicrosoft WindowsValid 734700x80000000000000007993503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.048{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x80000000000000007993502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.048{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=5541A4A7FB64063F8AFB192ABD4DAE70,SHA256=AABF2E6C392F29B77F076BF705976B68B3100138BC63060335BD154B8417754D,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x80000000000000007993501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.048{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\urlmon.dll11.00.14393.4402 (rs1_release.210426-1725)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=3562767F9C1D8359A735D4F64A9733F5,SHA256=7E60D82C417779D316000AD376BE9BA2CD14728616F35289E34E47CC6839620B,IMPHASH=198DE5B70ABFFE7B73AD088D655B26D1trueMicrosoft WindowsValid 734700x80000000000000007993500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.032{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007993499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.032{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007993498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.032{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x80000000000000007993497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.032{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 23542300x800000000000000015899937Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:40.393{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A4A16724EB71D00611D70D079D7A72B,SHA256=891477613D312224678B67F5CA4806D1E2820177300D1EC7BB2A6EA4CE8BD63D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899936Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:37.547{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52001-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007993567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:41.892{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA81DFC24824EC9CA7C25CABA58F3433,SHA256=C4690B989CA965BB76C27B6891414300F5FCBDB004638B78801EB2CAAFEC6080,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007993566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:39.402{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62271-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000007993565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:41.110{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\msls31.dll3.10.349.0Microsoft Line Services library fileMicrosoft® Line ServicesMicrosoft CorporationMSLS31.DLLMD5=1B3268228F5D58D543A3CB0C24696CBE,SHA256=A701E9843C81A9E9BA2A3EAE9908B7F690D9B7F95E5A7384F61D60DB046B9315,IMPHASH=22022E58D2351099BED48D9D44B57787trueMicrosoft WindowsValid 734700x80000000000000007993564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:41.095{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\jscript.dll5.812.10240.16384Microsoft ® JScriptMicrosoft ® JScriptMicrosoft Corporationjscript.dllMD5=10E7553C95B619BF68D92211D5A98661,SHA256=346EE023A8CD0B250AA02156F566C7A752359175A0F6840FA7BF3DB4169806C5,IMPHASH=8F400BD5BA6B9EC9A38B7CC6A0B45A54trueMicrosoft WindowsValid 734700x80000000000000007993563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:41.079{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\d3d10warp.dll10.0.14393.2608 (rs1_release.181024-1742)Direct3D 10 RasterizerMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10Warp.dllMD5=B69F0419A16A616FE2D779EC98CD7FB9,SHA256=2D10B43F2137433E48A009227487C691E312D186691485D33B4FDF90D8423C9D,IMPHASH=E32C7474360C94A9FE5E17141A4AB35FtrueMicrosoft WindowsValid 734700x80000000000000007993562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:41.064{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\ResourcePolicyClient.dll10.0.14393.3808 (rs1_release.200707-2105)Resource Policy ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationResourcePolicyClient.dllMD5=8FD5FEFE4E020BBC2D95F07BCDC84F71,SHA256=E5E351822CCDEBF81C47C4CA1D5C158E2880C1BD29CA024D163FD9316F3046AE,IMPHASH=E494F732179E765F2CE18BC21CDB1948trueMicrosoft WindowsValid 734700x80000000000000007993561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:41.064{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\DWrite.dll10.0.14393.4225 (rs1_release.210127-1811)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=BB0ECCB8A72B5926A58433666145D459,SHA256=9C082B0EF00A6E174062634F0421B1179D27BC9077A5C0B1FEB2AA74DBAC2E68,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x80000000000000007993560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:41.032{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\d2d1.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft D2D LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationd2d1MD5=E15A420D82314AF63973D7D0AB3BA2DD,SHA256=C264B2FA1F3E67E558E2671807C06270926EF456F4FF83F1F9859B18184F187E,IMPHASH=5F8C6AF7D0781F35A516AEB072DAD045trueMicrosoft WindowsValid 734700x80000000000000007993559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.985{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x80000000000000007993558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.985{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\UIAutomationCore.dll7.2.14393.4169 (rs1_release.210107-1130)Microsoft UI Automation CoreMicrosoft® Windows® Operating SystemMicrosoft CorporationUIAutomationCore.dllMD5=9B2DCFE11EEBDDC18A8F5964E04E64A0,SHA256=5CBC5B45B9EB5B4EF1360005CD675D20D7EE9FE588DA24543FF7C9ACB88317FF,IMPHASH=6691D3D33C2662107A11540A5A994674trueMicrosoft WindowsValid 734700x80000000000000007993557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:40.954{3BF36828-E977-60DD-2902-00000000C801}4604C:\Windows\System32\mmc.exeC:\Windows\System32\jscript9.dll11.00.14393.4402 (rs1_release.210426-1725)Microsoft ® JScriptInternet ExplorerMicrosoft Corporationjscript9.dllMD5=A2A638AA2BF88D1D17E572375CB0B779,SHA256=E6D6A81724F3407E3830AF3529195DC299C4FB1B3C35914E42CDB7D2D67C9A8A,IMPHASH=704EFF1E9FEFBCE05FA175E0B6CD855CtrueMicrosoft WindowsValid 23542300x80000000000000007993556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:41.001{3BF36828-E8AA-60DD-0002-00000000C801}2136ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\2FSZZH5K\views[1]MD5=BEE1758A485085BB8A121EB74BA7E96F,SHA256=EDCAD5B1CE8A304B70B8C9EA57D4AEAB740D979FFA59243B943011CB1BA4D57E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007993555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:41.001{3BF36828-E977-60DD-2902-00000000C801}4604ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\P7C6AEMC\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899938Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:41.408{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDB1DD8BD271ED03B1B48D828A8023CC,SHA256=B351E6EC591BB641C430F7747E58EE450EC4A97705ACF1CF897F34E4D498493C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:42.751{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CAB7D06F9634CE93BA74040A6368A16,SHA256=9E5DD914BC7E0551F49023B40AD20D544559B289D8C94134873C5CEE0A70122F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007993572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:42.673{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007993571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:42.673{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007993570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:42.673{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007993569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:42.673{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x80000000000000007993568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:42.423{3BF36828-DD0D-60DD-1200-00000000C801}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=90E2EB2234BC41E174BDD3B62DE53FF5,SHA256=BE7D1B8D74A551C34325BFFCE0DACD88CF9290E6B577A35EAB1DCDA7B5EF9E79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015899953Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:42.893{B81B27B7-E97A-60DD-4E2A-00000000C701}51445404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899952Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:42.737{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E97A-60DD-4E2A-00000000C701}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899951Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:42.737{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899950Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:42.737{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899949Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:42.737{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899948Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:42.737{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899947Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:42.737{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899946Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:42.737{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899945Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:42.737{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899944Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:42.737{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899943Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:42.737{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899942Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:42.737{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E97A-60DD-4E2A-00000000C701}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899941Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:42.737{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E97A-60DD-4E2A-00000000C701}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899940Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:42.737{B81B27B7-E97A-60DD-4E2A-00000000C701}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015899939Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:42.424{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B3881D23CEF7A09068BDC3C8D1E369A,SHA256=55C4AFB397630D065D95A94645AF47D856C7947EA7DDA1FFD926B4F7FF9A4C00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:43.501{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5249081032F4BC8951CE47721B15624,SHA256=719B8F4982A38E021FF53411C2EE04CBFEE139CC5E4D4D6571BA3F018A4F0A97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899969Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:43.877{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=031595D6D4ED07ADAC621EAEB623028A,SHA256=2C3612E781B3A3751D4F575250DB1927594683604F4BAE19DE51A9A1EFF6F425,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899968Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:43.877{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43B753FCC7F8541974936EBC4E646D7A,SHA256=3AAA77D621C97BC6C04FF7B9DBFB45465787EAE9ABDB8F8A2FA2424A81B47594,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015899967Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:43.877{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=330CB6213CBCE8EA0E334A4F4FA934C3,SHA256=BF2CB847D61DCB5357C1FE2349FF6F4FE58F77B7462C6E6EB10DDDA4C80F8477,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015899966Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:43.408{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E97B-60DD-4F2A-00000000C701}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899965Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:43.408{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899964Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:43.408{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899963Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:43.408{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899962Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:43.408{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899961Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:43.408{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899960Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:43.408{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899959Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:43.408{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899958Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:43.408{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899957Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:43.408{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899956Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:43.408{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E97B-60DD-4F2A-00000000C701}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899955Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:43.408{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E97B-60DD-4F2A-00000000C701}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899954Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:43.409{B81B27B7-E97B-60DD-4F2A-00000000C701}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007993575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:44.251{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1AC99952F78592CAAEF974852640BCC,SHA256=E643D3E0849ABF2C99386E5CB331E8A7024DBA55EC30248224FC913C5FABCFAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899983Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:44.893{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93BB3AB5127779C710AC5758AB1AD06D,SHA256=A7BF9440E4CC79EB3BC67017D5250F10FFC4BE0E6DD8DC8A6570ACE19AAF57EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015899982Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:44.080{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E97C-60DD-502A-00000000C701}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899981Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:44.080{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899980Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:44.080{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899979Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:44.080{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899978Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:44.080{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899977Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:44.080{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899976Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:44.080{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899975Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:44.080{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899974Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:44.080{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899973Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:44.080{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899972Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:44.080{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E97C-60DD-502A-00000000C701}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899971Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:44.080{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E97C-60DD-502A-00000000C701}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899970Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:44.081{B81B27B7-E97C-60DD-502A-00000000C701}6020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007993585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:45.204{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007993584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:45.204{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007993583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:45.204{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007993582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:45.204{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007993581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:45.204{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007993580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:45.204{3BF36828-E8AA-60DD-FD01-00000000C801}32804620C:\Windows\system32\sihost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:45.142{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007993578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:45.142{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000007993577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:45.142{3BF36828-DD0C-60DD-0C00-00000000C801}8644220C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x80000000000000007993576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:45.017{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=220A1EE43F2378F9554B951DE8A12E25,SHA256=E3F0DE3E3ABD9F39E976477C05FB8BD980D21B8119463B8045D31E503D6C1457,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899986Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:45.908{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF83354A02D6E3E82D72D37FB3073E6,SHA256=4CC162722D8ADDDB5FE52E677D0FBB567138C3566FBB7EA5F98E1603E9310582,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015899985Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:43.359{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52002-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015899984Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:45.080{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=031595D6D4ED07ADAC621EAEB623028A,SHA256=2C3612E781B3A3751D4F575250DB1927594683604F4BAE19DE51A9A1EFF6F425,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:46.439{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F86C1EB0294F6441512EB67D744CB444,SHA256=FFB9D31FBF54FD13B6718BC6CB317258220643F7A97FBA62D34C1253B412CB3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015899987Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:46.940{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907430AD4A8FF0CFA8E1EA3615C93595,SHA256=31855733748604E8D1D2A4A72AD30DE92843C8F5173A51A7D489483DD90266DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:47.810{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0771FBA7ABDFBC12C94A31B5CA5F53A5,SHA256=F22DC4A5CCC18199532C06E3108D9B51A1DE1BB679563694C5C6CF6AD2D39374,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007993587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:45.355{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62272-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900002Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:47.980{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67F86D46E1BBF2EC094763F4DF37E6C3,SHA256=62C4169CB29B4D0F299AAFF1F75EA147C1DA95C11DECFC5D29F536D6B62FBEB1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015900001Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:47.543{B81B27B7-E97F-60DD-512A-00000000C701}27644732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900000Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:47.393{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E97F-60DD-512A-00000000C701}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899999Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:47.393{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899998Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:47.393{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899997Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:47.393{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899996Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:47.393{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899995Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:47.393{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899994Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:47.393{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899993Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:47.393{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899992Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:47.393{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899991Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:47.393{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015899990Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:47.393{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E97F-60DD-512A-00000000C701}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015899989Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:47.393{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E97F-60DD-512A-00000000C701}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015899988Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:47.394{B81B27B7-E97F-60DD-512A-00000000C701}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000015900030Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:48.637{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E980-60DD-532A-00000000C701}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900029Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:48.637{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900028Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:48.637{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900027Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:48.637{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900026Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:48.637{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900025Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:48.637{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900024Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:48.637{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900023Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:48.637{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900022Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:48.637{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900021Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:48.637{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900020Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:48.637{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E980-60DD-532A-00000000C701}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900019Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:48.637{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E980-60DD-532A-00000000C701}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900018Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:48.638{B81B27B7-E980-60DD-532A-00000000C701}5200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015900017Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:48.402{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D21CF4E06282BD6F878E0E6A498C66F,SHA256=602D3A93C5B1A8A6C19B6E630BED9FE85363E47CCA0B94525FF86B8E8C1A4E39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015900016Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:48.152{B81B27B7-E980-60DD-522A-00000000C701}37442536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900015Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:48.012{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E980-60DD-522A-00000000C701}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900014Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:48.012{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900013Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:48.012{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900012Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:48.012{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900011Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:48.012{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900010Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:48.012{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900009Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:48.012{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900008Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:48.012{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900007Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:48.012{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900006Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:48.012{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900005Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:48.012{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E980-60DD-522A-00000000C701}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900004Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:48.012{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E980-60DD-522A-00000000C701}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900003Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:48.013{B81B27B7-E980-60DD-522A-00000000C701}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007993590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:49.873{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4509C6E475D0CC8824FA66694EF08DA5,SHA256=1CC7A5E2AB3DC4CA46FD24526ED997E331E2DCB4DCAF51C5E58B9006BCB32607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007993589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:49.185{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=262C3A2AB22A1EBE7D5386CEFFF31B95,SHA256=BC0202CAF7DB9249C707BA00F81ECBC13FA2102FCF48CA2822F18AFCD651E69D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900046Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:49.652{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9D227CA0129022C16048B54FD3EBD52,SHA256=0CDEBC95C70409450CD11DCE7772747AAAB14FE6A51D751C0BDC0117459FE833,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015900045Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:49.418{B81B27B7-E981-60DD-542A-00000000C701}56963160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900044Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:49.262{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E981-60DD-542A-00000000C701}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900043Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:49.262{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900042Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:49.262{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900041Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:49.262{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900040Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:49.262{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900039Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:49.262{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900038Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:49.262{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900037Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:49.262{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900036Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:49.262{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900035Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:49.262{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900034Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:49.262{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E981-60DD-542A-00000000C701}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900033Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:49.262{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E981-60DD-542A-00000000C701}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900032Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:49.263{B81B27B7-E981-60DD-542A-00000000C701}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015900031Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:49.262{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4934ED4B43CCEB9E1ECE18C21E1129AC,SHA256=51CDF0158EE9E40D19E6C697AA1177B3AD8A7FEFD9A990BC3B35CF00A01B025D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900048Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:50.496{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB8091214333B67353907E92430E5D7,SHA256=51CB96CC85C58A98C922339A242F6E960236FEF5643971D26E92F1B7CE4BA186,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015900047Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:48.493{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52003-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007993591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:51.890{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3507685778203458A6DE52458E5BBC0E,SHA256=37B0EEB55468DB6652760D1DEE89303B90E66FC17381F3BD6E13928A83FCF710,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900049Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:51.527{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47B20841F43684A25F019B933B60B35C,SHA256=F20370B379BCF9305C6ABBA2DFFD6D01D724D75CD9B274F9DBD8F00E05F2FD30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900050Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:52.543{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F54B7D47F7EAF04387E5A0C7C1054E,SHA256=57B5F06C5D582CABF5F622FC68981B08B5B4E8B3F2812093B1320C84A7855D33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007993593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:51.273{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62273-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007993592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:53.250{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6AF4C24C0EF113172ECE217676C3806,SHA256=ABD98035E55FBB45ADCB18EB9080DC3D2B57A5E706132A917B6CD87A788CEBC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900051Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:53.558{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C36D210A72554607196C2AE9DB9C7FB6,SHA256=FBA63C25A7F9C4FB077FD44308EADD841B2E2FE9EC2391C78ADABD36D45FB690,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:54.671{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E18BBA6C94630311C9959312ACA2DA0,SHA256=1A0266E8BDC568501FD346D475687C1E9519C1A3D10A95FA63E0458BE447D843,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900052Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:54.558{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0E4DF104D39F6932887DFCDDF90241F,SHA256=D17FC04FC5FD43AEC7F514315A11431E6F090AF219A8CF3914B63B0C8E3112AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900054Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:55.652{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05E431238022DD17B8197E88D00EAEC1,SHA256=19604F6FF63AD021031189A37850A703A561DED710B0FC8112EF3F339EA03D7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900053Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:55.387{B81B27B7-880A-60DC-1000-00000000C701}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F763D7912F3961EEFC99F899D2E66690,SHA256=5F382F31CD576C31314660E1AD5D82C32505EA7F5E8FFFA25B516C02282E02C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:56.031{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4DF49FB340EC5BE3AC774A84C579B8D,SHA256=A475CA163A6D1B9E983108C9869248132C6DB1EF26B370B73338C91666082846,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015900056Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:53.540{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52004-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900055Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:56.668{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CD7F19BCD9492ACFA01878D004702C1,SHA256=ED8FE10DA1B1FA17F144561917C867FE160607C0E1C2125F5561AEF3A5CCC78A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:57.406{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85B1D04CEF5098F203489E3E8E192F81,SHA256=1C6C595BA149D8CD964B2C15144184EFBDF1B5EE107C9586864833246D958047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900057Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:57.683{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E71180F10C32D75F866A03B858488E,SHA256=8E548A43A51A4F67472EAE8D77165A40C80A3CAAFB3171BAC6BDB10D2F2D5FB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:58.765{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D7D8FC2320F256272976C2F22EFB260,SHA256=2411A69D88074FB3AC000C65C0A7AA01093EF8DB01455BC6496F9D8026A45764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900058Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:58.716{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4F4C90454FF2FA941ACBC415D3A93A5,SHA256=D3CFA62A6EFD210A49BDC1401D0C72482CC77D6988E6F037C499A792465535CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007993598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:12:56.416{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62274-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900059Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:59.775{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FEE26A9E5A23784CA4280452B85FFFA,SHA256=E2E3BBA9F3FFB88B12DD546A1B49CE66B66606D65C5913C60A2FACD9EB558098,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:00.812{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3841ED9D60F2290CF6B0B97A072D313,SHA256=7E4EDC0160D4C9D1B499B5D73EAD2BDB9DD85C1D326832BDFD929C50A26E1F1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007993599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:00.125{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B14C7A823B2560C82468A9FC2CCFD5C6,SHA256=018FF96C11BCED45374133950869CBFDC74BC7C70C2398CF0D0C29A1EFB69D5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900060Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:00.777{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B8EE1589FC2E453327A3BA8D5D4B385,SHA256=C9DBB9A124A3A346684C72401944D1B300E83ED9DFB1F3E59659C0791EE17283,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:01.500{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FBCA5C603F253E4166C77EEF223AE13,SHA256=8385D033AE5E8DE5DC48CB1FCDC4886AEF8C0A7D27DD2B099B50C734FB6FB17F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015900062Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:12:59.415{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52005-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900061Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:01.793{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420E51C3BE2AE4611C047E5643FA6164,SHA256=E6243687D40DC4641D72B080B4A0876A08F94C674727910E650B9BDF980629F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:02.859{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9810D9059BFBC088362B43E247DC84C,SHA256=573E29B288195C54E047AE83F90D8F1BC6B193F3B294DFD059714FD3EF269BE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900063Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:02.808{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC99ADAAD99A109A259F59918DE7615,SHA256=80EF64BF47765F9A4444F41DFD2EFC3CC5DFEBD406421F9329EA62BB0415B6C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900064Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:03.824{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=231F678710DB1ECE5C53AC261E0CD801,SHA256=80522E6A8ADC029ECC8EAAA201ADCF68D24F239278A9E61FB6639AA0E65496AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:04.234{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDD496754A82779DBC8C7369217A6E24,SHA256=D85D9DDD72653A562772312770F62F24BF61482C312FB043E2EB4E94792D7609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900065Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:04.871{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40EC0F3AFE569896F7B983A47E6F65F0,SHA256=44766B9C214EA415F77559C143BD3BB05D972E61943F6F8F7DBED219F2D5C11B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:05.593{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36273662AEEA90D65A4D3B6B4D3CA8AC,SHA256=82C0CBA21CE64A43EE9FFC307E6829F1B80383D38B7C05F612F4ECEACD73ACB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007993604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:02.322{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62275-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900066Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:05.887{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BED8860ECD8B178911B9534829BF8099,SHA256=75BE52FC4C0F03D4A40AA1C774D25B169A10A677B737DA86DF8315E10E97837C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:06.953{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=736DC2582C7257A53CFE3C54162AEAE8,SHA256=83071D72C5A84008B2636F7E425EF37F06624B2397DE14B0EB1DFDA1744AADBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900068Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:06.902{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5165644BE99ED50D81642AB7FFAD0411,SHA256=2E3619D60B048985E12CA9DAA994667164E47219304C9D354614F8E81208536C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015900067Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:04.477{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52006-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900069Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:07.904{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7462DCD14380973000D8679EE5253424,SHA256=6F5937CFE80C15DE8839958C3CE3295F27739DFD30A965BFE39204A2CD60F3CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:08.328{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDCDBE9A71394626881893D004C1D5FD,SHA256=3401FC305FFD4DF491CBDD3F16F2CA8EA7AD4FCD687A691578A7063DE3F30A5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900070Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:08.920{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB08C054833A8923E155D47FC646828A,SHA256=65FE53B970D27D8854A319B582F9C14C5474895EB1C61576D554B196154FAF2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:09.688{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=142023ADE49B91A3FC11B0A4FC22F584,SHA256=72E5D473D977288E5105DA2D2DD03689D8B23FE8C8C1FA9B46E94DFDA50B14E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007993608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:09.688{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654EC145A573D1B24DB99FC51D75BFEF,SHA256=3AFECCC8ACF7825F9796126800C9C82D45BA1AB02825098036917EA3DE1809D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900071Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:09.920{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=006ADA697F3A47CF86C95FD131801014,SHA256=B3CBC2015B2F905C139B7BAD481ACC2D1ED3E8CAFC0A62E1099FF5011224522C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007993610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:07.369{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62276-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900072Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:10.936{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8656AE1171256702891B7E1FF973DD45,SHA256=5C3EAA3F5823AB31E04E45A2B062B93009AB313725DCADD2BC40F6E49B489454,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:11.063{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD50BD2F40A666005CA29EB0C072547B,SHA256=0521E162F4CB6289E285B2C20158CBE20F1A68B83C6DD69C6362D907CB229316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900074Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:11.967{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C32B3F8FCD3F6B321BD0F030C57913A,SHA256=46F10513497982A3388D7E2F242C182BC8D423B4F66E40B805034732EC33CFE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015900073Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:09.542{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52007-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007993612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:12.422{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22DC633E7FB9072B0E719120F4426816,SHA256=213B24FF2C20C3AFAE9A13C91CEFD3DC307301ECD495E1791F8587FCEBE56507,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900075Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:12.967{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED7795B14C124C837B5E8D2D559BA945,SHA256=96BBFFB07E62C687069158540AF73402BC960C768EB225CC729C42A77292A181,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:13.797{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB88B80EC7CCF30E3FC71D3B6F95E81D,SHA256=C5723A0DC697722696C1111E13A2E574A8F36D32B4BA9CD597C89B3A53B1D990,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007993614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:10.791{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62277-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007993613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:10.791{3BF36828-DD1D-60DD-2F00-00000000C801}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62277-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x800000000000000015900076Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:13.982{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AAB62BEF5BB2505C19C96826A57CB29,SHA256=0985EF412EDDF1261A1339071EE8E59F2A89DC1C015AE8167BC8E651308625B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007993616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:12.416{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62278-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007993618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:15.844{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0FC4B24FD23ED64875D5DD65E5C8D1E,SHA256=27888C79DCC10D1D4E81F536F15C250AFDC5DF185896AE0FB1F496276B0247ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007993617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:15.157{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465B9EF4B467F7A051F2A9507E4A70C6,SHA256=96A4D28969458960201BC656A0DB8BE639F1C4CD6BC1888ED13FEC72C9499C54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900077Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:14.998{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE00C43CCAD646F8CBAD97B8B6AD07A0,SHA256=3100D1487A4BA4D4700B3FDB2F743E8BB97E58D8DB0872EE2D14BD53E55A0E93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900078Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:16.014{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E02AB175484267110709979870A81B40,SHA256=666D62B5088C1870E2E32A45DB4074C583250D98A12729891727CC148A624345,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007993718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.906{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007993717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.906{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007993716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.906{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007993715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.906{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007993714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.906{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007993713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.906{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007993712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.906{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007993711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.906{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007993710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.906{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007993709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007993708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007993707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007993706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007993705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007993704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007993703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007993702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007993701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007993700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007993699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007993698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007993697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007993696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007993695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007993694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007993693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007993692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007993691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007993690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007993689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007993688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007993687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007993686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007993685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007993684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007993682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007993681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007993680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007993679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x80000000000000007993677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007993672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.891{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007993671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.893{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007993670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.344{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007993669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.344{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007993668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.344{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007993667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.219{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007993666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.219{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007993665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.219{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007993664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.219{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007993663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.219{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007993662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.219{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007993661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.219{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007993660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.219{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007993659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007993658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007993657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007993656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007993655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007993654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007993653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007993652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007993651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007993649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007993648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007993647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007993646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007993645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007993644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007993643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007993642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007993641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007993640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007993639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007993638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007993637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007993636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000007993635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007993634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007993633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007993632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007993631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007993630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007993629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007993628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007993627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007993626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x80000000000000007993625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007993621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007993620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.205{3BF36828-E99D-60DD-2A02-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007993619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:17.203{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC5B261BD35E9054C92F69D5DA9CDC43,SHA256=966744F63773F1F40BDA140B849976C07A5DF1C6C96A34F90A66254937611D92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900079Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:17.029{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E5B36F78962B2746F5EE071FA8309F7,SHA256=8329159AB446864BE874DCA621A9309997070430BB28749F97ED87693F23D7E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:18.578{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7368AE584735EEC6F238C12A5CCFDB6,SHA256=992703C0F92983FB4ED80690C5E1335DC30B82317E02A1C556283DFEDA85C718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007993722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:18.578{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=759A41F90A63DCD7854471742B054412,SHA256=5DC879DA8427C396DC02D112D53F548BE2F81104D11E4415D9A826CECFC6A4AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007993721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:18.032{3BF36828-E99D-60DD-2B02-00000000C801}18684420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007993720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:18.032{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007993719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:18.032{3BF36828-E99D-60DD-2B02-00000000C801}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x800000000000000015900081Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:15.448{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52008-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900080Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:18.045{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081D9395BFDB73AEA3DE5F335EDD2EA1,SHA256=F02BFC999310322D5F6301C85CE4A064C006396E9AA4E212E13143DD6806C46F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:19.938{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D7F6124F8687C4AE91DDEC03E329D1E,SHA256=8C7CA2CD5032E5F88D8D7C9844FED47422D55B3CDA0337F4032761C74D33AB76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007993724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:19.250{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C481D56D59516BE1C6BAF3A27421357,SHA256=BB955BD83242AB273DC38C5C4C9527A4A97A3A7DEF40F97A4C41A7624CD27953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900082Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:19.107{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73A323F88CF09B3E624C50AF8E5655DF,SHA256=D9FB164F77FE9C4BB1A8D2D1F0230A5F9BC0AD1715A6C49F3C88FE6A5D259228,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007993726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:18.307{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62279-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900083Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:20.123{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3A1B2F6BB0EB134A5264E03BDB4075E,SHA256=C690A320BF690F35747FC897283F300166BD5A0B466DEC6541F182F89B11F8A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:21.641{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6DAC7379C9C2AC8F5DA250153C4927,SHA256=C41F95931DE5EC4EC79319E724241B1C5EA6E498C9473400DFE594CD063323A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007993727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:21.047{3BF36828-DD1D-60DD-3000-00000000C801}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900084Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:21.170{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773C7DB8201CBBB0EB27D9F9DA2D2724,SHA256=2C4863CAF0D64E8E984F56C0CD23EA22F7618ABE80A03D8D2539C7A2C0488BFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007993729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:20.228{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62280-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015900085Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:22.217{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA791D4FC999EB6CA8E2FCC607ABCE53,SHA256=71968E7951C29C6648DF04C6388706B4C16DDC77FF430F9E43BCD5A7F9F929BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:23.672{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B595AD02A8B8C5729D6F4477B0DF0649,SHA256=F2A29A1BDAB83AC99A02782346C5EC00A9436332F755D725C7937C40C4E50AFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015900087Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:20.479{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52009-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900086Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:23.217{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C64116116B0A6427D255D171D57A26A0,SHA256=B30A38C46535C9A588BC1732B35118C4D4BFBD5601F67B574C0C8C3FDB6F0442,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007993786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.500{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007993785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.500{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007993784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.500{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007993783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.375{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007993782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.375{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007993781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.375{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007993780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.375{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007993779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.375{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007993778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.375{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007993777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.375{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007993776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.375{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007993775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007993774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007993773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007993772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007993771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007993770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007993769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007993768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007993767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007993766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007993765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007993764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007993763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007993762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007993761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007993760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007993759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007993758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007993757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007993756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007993755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007993754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007993752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007993751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007993750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007993749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007993748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007993747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007993746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007993745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007993744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x80000000000000007993743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007993742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007993741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007993740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007993739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007993738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x80000000000000007993737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007993733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007993732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.362{3BF36828-E9A4-60DD-2C02-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007993731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:24.360{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAE906F1DD9F38E68733211D338211DB,SHA256=7A6A9D0B5C97E0ACE81BA0F4EC4D68368F961C1704B630514C33F1393477DFD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900088Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:24.232{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC340B631CF9459993B77425C1553459,SHA256=E4129A3C626A5224002D58EB1EFE5D2E12548A3F09815A571DA472E1E97CE87F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007993890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.922{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007993889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.922{3BF36828-E9A5-60DD-2E02-00000000C801}21643616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007993888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.922{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007993887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.922{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007993886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.797{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007993885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.797{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007993884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.797{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007993883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.797{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007993882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.797{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007993881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.797{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007993880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.797{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007993879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.797{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007993878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007993877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007993876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007993875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007993874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007993873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007993872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007993870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007993869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 23542300x80000000000000007993868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1172F4F8CBF85E1A81714E7193282933,SHA256=E432D32F2F3E878B727499727434CD57947AC04F79EB16167EF419F23124D36B,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007993867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007993866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007993865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007993864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007993863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007993862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007993861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007993860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007993859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007993858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007993857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007993856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007993855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007993854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007993853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007993852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007993851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007993850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007993849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007993848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007993847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007993845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007993840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.782{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007993839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.784{3BF36828-E9A5-60DD-2E02-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007993838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.235{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007993837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.235{3BF36828-E9A5-60DD-2D02-00000000C801}47043932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007993836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.235{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007993835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.235{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007993834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.110{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007993833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.110{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007993832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.110{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007993831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.110{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007993830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.110{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007993829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.110{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007993828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.110{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007993827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.110{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007993826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007993825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007993824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007993823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007993822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007993821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007993820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007993818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007993817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007993816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007993815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007993814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007993813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007993812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007993811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007993810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007993809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007993808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007993807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007993806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007993805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007993804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007993803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007993802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007993801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007993800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007993799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007993798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007993797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007993796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007993795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x80000000000000007993793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007993788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.094{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007993787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:25.096{3BF36828-E9A5-60DD-2D02-00000000C801}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015900089Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:25.264{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8C0AE9D1BC300D88B555A4FB7044245,SHA256=AC971522ED76D76D98B91EB594F3AFDBE4A615D906509B53F2E6DA97CB363955,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007993943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.594{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007993942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.594{3BF36828-E9A6-60DD-2F02-00000000C801}34564164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007993941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.594{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007993940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.594{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007993939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.485{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007993938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.485{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007993937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.485{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007993936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.485{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007993935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.485{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007993934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.485{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007993933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.485{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007993932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.485{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007993931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007993930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007993929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007993928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007993927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007993926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007993925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007993924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007993923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007993922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007993920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007993919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007993918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007993917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007993916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007993915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007993914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007993913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007993912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007993911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 23542300x80000000000000007993910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9436D452EDCBC4CC51BF09F69D72D03,SHA256=82CAAF0CD3BA0C25F31C6A77E19E023239C5937FFB3CEA3B2039E6494034FBBD,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007993909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007993908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007993907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007993906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007993905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007993904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007993903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007993902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007993901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007993900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007993898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007993893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.469{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007993892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:26.471{3BF36828-E9A6-60DD-2F02-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007993891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:23.369{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62281-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900090Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:26.279{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A41D87659E393DCE19D810C7AD56A15,SHA256=F3FBEB988893EE44E525BC6A10FFC985B030B9ACA11E79CEF7AA531F828F4F17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.829{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF2750C69777664EDF9D393631D931B5,SHA256=E5CE0D69691CF5C4C3541E840BCC2AA1024D24AA5F978C7635963D0BDA0CEDEA,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007993995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.297{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007993994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.297{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007993993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.297{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007993992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.172{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007993991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.172{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007993990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.172{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007993989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.172{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007993988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.172{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007993987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.172{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007993986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.172{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007993985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007993984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007993983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007993982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007993981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007993980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007993979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000007993978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007993977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007993976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 23542300x80000000000000007993975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18761A667D5B7B6E3FB090276B18E17B,SHA256=A4733A31904BF3C93CCDA97F079AC55AE5195D93343BCC78A3BD449FD7B1F2EA,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007993974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007993973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007993972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007993971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007993970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007993969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007993968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007993967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007993966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007993965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007993964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007993963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007993962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007993961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007993960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007993959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007993958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007993957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007993955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007993954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007993953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007993952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007993951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x80000000000000007993950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007993946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007993945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.157{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007993944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:27.158{3BF36828-E9A7-60DD-3002-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000015900092Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:25.495{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52010-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900091Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:27.279{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F0C19686008F19E5803E22BB9887ADA,SHA256=08A2D465032699794625386252C85F561960FBA9D5104E7A016D77364D3FED1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:28.594{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E022D47B75729033397A25AE16C067B,SHA256=D6D287F3FA73EC793A6692A94C87161FBF9C98358B554AA8EBB97E0911CA69E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900097Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:28.623{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=4E0914330CF991411BCA0353ED4364EC,SHA256=0B10F2538F257F6479D31B833B588BD7F4AC33D5A699CFBFC399D53E86F56D1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900096Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:28.623{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=F979096EFD669495280CF44057494794,SHA256=4F9B6D2D596C5F058BC3781F953F2A20ABA65437DF0614B925235291008DD041,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900095Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:28.623{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=04CD27043B6B2A3827534AEAD30AC035,SHA256=9458ECD11FEA5535635A1F12ABC66E53BE818C95C91E9D09174DFAA7057B5633,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900094Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:28.576{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900093Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:28.295{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE05F9BE652102386C9816A0FBA551C1,SHA256=48D209798A05EEA0806228FED32AC4C15F75CAC4A1A9F6919E5192C37B367F03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900098Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:29.326{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46560FFA83460C0B2D073A697E3BD503,SHA256=BB622AF710DF0C106F410C7699E0FD19386B7ECF8740E7B5722FC2E66BCB68C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007993998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:30.079{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F35BF669F04200E8BAF64BFA5766FD1,SHA256=BD2AD81AC96C94F87F8D4E7FF641B13DBDB571F744BE7D1C3BE248AE3F8DF2C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015900100Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:27.870{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52011-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015900099Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:30.389{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1BF52C7F9C493E9EA4983E3FF2E250D,SHA256=F0A5EDA255C6D65F370CA5A7B44D6A6D3CB9ABA1E98E489DA625A3BBAD4DD956,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:31.548{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96BB71CD0C926B956EFA78E227DA9D40,SHA256=F1DAD08D91A699BB37416D27D58582FFA54A039CF70434362C8275A4A3F018FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007994000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:31.548{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6FA7D6D8CAB0E5F2240A5803F46A43A,SHA256=4E1260D18BA8661C72116C4BA467268A5C54EB5D9F03F53EF222989C0C0A7987,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007993999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:29.260{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62282-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900101Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:31.451{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7B5D3B3FA3CD45FDC80F67388F0714E,SHA256=824453B160300A3A6C3B739159C7ED15564664B509E099F9365628417C03CA39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:32.923{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ECC0D1305638F24FAC2CDDD67D195A4,SHA256=9CF65E24E0AC9DE57CA5E9FDE98409E9E1EEB07AEBB2700065B8F17F785D3F47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900102Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:32.451{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C8185D8CF50CF74266FA1201A8F5E79,SHA256=4EB50AA16E9D78E354E25D8B1BFB319C618B99E6BA036A1008725820B7CDEA25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015900104Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:31.370{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52012-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900103Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:33.467{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3040E45C3F8824B5042159DA3EAE9A1E,SHA256=CC19026352994044430961E73044188231585BAE71904B758F7D4E3F5188B339,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:34.298{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75D07BE26CC4961E7169552F432C36A8,SHA256=594E44B336AEA8055F02C39EFD64675A0747C25EDAAF47867B11D5459B0DF51D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900105Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:34.483{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21F71977B51E83EDB866C8832ABB804B,SHA256=DFFBBEE694B6810B18A76F1C6128667332A1B83AD63E97A4663988ED68310730,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:35.673{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3047FD365979566F6C0E9A21B6ADDFD,SHA256=91CF38C19CD5200E5932E262A5F5A814F19C550058A670BFCE8715CD71C90ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900106Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:35.483{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=805F4C0008F51EE5C1D26CC4B43460A7,SHA256=1B6FF178A9B1EA7CC02DB97865175BB3AC5B4278C77069594057838B20D5E3F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007994005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:34.338{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62283-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900107Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:36.530{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=387B89155A040493DD087D5F70879BDB,SHA256=7A175786155E45F721AAFBE23E01270DA63192105E4C595D4E85C13EFEDEA9E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:37.032{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FDB750904DD5D7C36DBFE056BF7F937,SHA256=8B4530EB23797B5C463B9177E6F48EB52D1DE92DA1315A40025BBC145D1C5B2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900108Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:37.545{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26588F53B103B3C2626642BECBB1FB8A,SHA256=13E78DC3E1A7B1C956B5F25503E18F7E16434A46B96926991A8BAD553E2C3689,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:38.407{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A2999E034EE401C6B4D36029DC1E0AF,SHA256=9458D13A893D123FC00D9CED51FFC948E86514C083E2B9E75AF9C41459E9C6D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015900110Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:36.480{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52013-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900109Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:38.561{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD17EC4B099DFD37438A171CC0F0ADE2,SHA256=6319986EB658841DADBF8204BA3F7CF07B0D0C1112B910CB7489A5C794B6DD65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:39.766{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4A3EBC59DB43DC66F92AF5C8C98039B,SHA256=AA35CC059E72E85AAF05C9977BC02CC2AEE9A13B7D08B0C34C5CD57DF23D1909,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900111Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:39.561{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A6A093564479F38D95F99E51C8F8626,SHA256=651DB8CB349FC9A69B4DC0D0ED4544782869A5DCB6A0CC31128E786C7A73EE94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900112Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:40.576{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44A2707508EAC99025F359727D5061E3,SHA256=1DE0F59727CC849DA7E3BF8C34F4E4E1FF73C034FFD11A2162CD98F84095AC52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007994011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:39.338{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62284-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007994010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:41.141{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67B85F1EC108BD1D28B8309F71C9AC98,SHA256=4D3715E3E32125ABCE556D56C5409666AE4A5341EF81B77135F4F50C68E01C10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007994009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:41.141{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E74916A235FA174EB7BAD63171585A,SHA256=C01F364923DDB309E21F1D77A043F6B2BD1B534914F43288FB16481020FCEF2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900113Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:41.608{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43B77E4BEDDBADDFF79186BD7BA93A27,SHA256=6EB3B2B011B36B5D95D3403D9C1A3C588C366DF4FC7C5BE02E6708AE37EF180C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:42.516{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63251914615A6C4AF0E0B2AF181E9C16,SHA256=1DC0D0856FCFFDDCB24E330E51BF776CE8CB797F68A6A6FB39747439E7E36CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007994012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:42.438{3BF36828-DD0D-60DD-1200-00000000C801}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=190612C350ABD3DEE66D3E2CFBC00B87,SHA256=817858286A1877EF62722E4B3A2071CB854A965E61AF67DBA48881EF6E177569,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015900127Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:42.701{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E9B6-60DD-552A-00000000C701}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900126Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:42.701{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900125Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:42.701{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900124Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:42.701{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900123Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:42.701{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900122Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:42.701{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900121Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:42.701{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900120Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:42.701{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900119Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:42.701{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900118Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:42.701{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900117Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:42.701{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E9B6-60DD-552A-00000000C701}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900116Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:42.701{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E9B6-60DD-552A-00000000C701}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900115Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:42.702{B81B27B7-E9B6-60DD-552A-00000000C701}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015900114Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:42.623{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E20BC74A1764949A44B4988AB3C184F0,SHA256=F44CAF33FEA3EB82AF7A847CE2811F599A71CDCA609B90B3572D1F1CA7182F42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:43.876{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28853BED92333EA054F3E470AE624E81,SHA256=01F7C54E7C68652CB2C12D99FDBF26ACFF0C31F9394E134621D7240294A67CF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015900140Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:43.373{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E9B7-60DD-562A-00000000C701}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900139Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:43.373{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900138Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:43.373{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900137Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:43.373{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900136Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:43.373{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900135Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:43.373{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900134Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:43.373{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900133Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:43.373{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900132Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:43.373{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900131Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:43.373{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900130Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:43.373{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E9B7-60DD-562A-00000000C701}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900129Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:43.373{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E9B7-60DD-562A-00000000C701}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900128Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:43.374{B81B27B7-E9B7-60DD-562A-00000000C701}6060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000015900186Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.203{B81B27B7-E9B8-60DD-572A-00000000C701}8682356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900185Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900184Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900183Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900182Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900181Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900180Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900179Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900178Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900177Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900176Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900175Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900174Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900173Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900172Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900171Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900170Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900169Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900168Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900167Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900166Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900165Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900164Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900163Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900162Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900161Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900160Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900159Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900158Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.170{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015900157Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.123{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=196DDEBD1B9CECE234DAD76A9DB57A9C,SHA256=38CA27C7D7321C4B87766465C8BFCACD95AF0C1C11BC060776238EEFD6E9DCDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900156Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.123{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=995E2FFF010674E49318918D130640D2,SHA256=ED76E17FDA5ECBB35D6F4EC7CB7604C19E25FA5A2A207E55EB65CB0C014AF990,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900155Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.123{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C01D0643B5199E24BF9C776D6AA810F9,SHA256=FC429F0F303DE602AC747F1E6237CDDDEEB21233ED5C5479503009F8CD2C76CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015900154Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:41.511{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52014-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000015900153Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.045{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E9B8-60DD-572A-00000000C701}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900152Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.045{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900151Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.045{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900150Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.045{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900149Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.045{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900148Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.045{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900147Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.045{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900146Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.045{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900145Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.045{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900144Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.045{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900143Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.045{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E9B8-60DD-572A-00000000C701}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900142Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.045{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E9B8-60DD-572A-00000000C701}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900141Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:44.046{B81B27B7-E9B8-60DD-572A-00000000C701}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007994015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:45.251{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F1484FD0862118EA34617BEAEB9144,SHA256=155511BAD5D94A69DF1CDF810136EAD92719AA48E88FD445DF782304C4453516,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900188Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:45.248{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C801662D7166672452EC3D4CC65A20F,SHA256=E8FECDC26314BA1632DFEABE0950C6D989EF065415E1C31DFCFDAE538CAF651F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900187Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:45.061{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=196DDEBD1B9CECE234DAD76A9DB57A9C,SHA256=38CA27C7D7321C4B87766465C8BFCACD95AF0C1C11BC060776238EEFD6E9DCDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:46.626{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7670CFA896CB37740F38041C14ED990,SHA256=38E23378A0E54814C98136DBF84B07F6927AFF35330420337820B7D5FA4B3203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900189Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:46.061{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE79CB12DB9092D0A4A31B0C085C5921,SHA256=9C8803E81255F392183852AAD3D1FEAA8EAF6AB68ECEC8779A7E0D451ADB8A25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:47.988{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B83E6A6835518BCB51A46B93F1CF865,SHA256=28AE18A3A1D7F59380685B41BCD643CCF591F7FB66738E61AE48F61325EE84AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007994017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:45.337{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62285-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000015900214Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:47.564{B81B27B7-E9BB-60DD-582A-00000000C701}50604720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000015900213Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:13:47.420{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000015900212Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:13:47.420{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0565accd) 13241300x800000000000000015900211Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:13:47.420{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d76e8b-0xb0623807) 13241300x800000000000000015900210Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:13:47.420{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d76e94-0x1226a007) 13241300x800000000000000015900209Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:13:47.420{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d76e9c-0x73eb0807) 13241300x800000000000000015900208Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:13:47.420{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000015900207Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:13:47.420{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0565accd) 13241300x800000000000000015900206Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:13:47.420{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d76e8b-0xb0623807) 13241300x800000000000000015900205Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:13:47.420{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d76e94-0x1226a007) 13241300x800000000000000015900204Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:13:47.420{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d76e9c-0x73eb0807) 10341000x800000000000000015900203Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:47.405{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E9BB-60DD-582A-00000000C701}5060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900202Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:47.405{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900201Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:47.405{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900200Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:47.405{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900199Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:47.405{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900198Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:47.405{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900197Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:47.405{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900196Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:47.405{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900195Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:47.405{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900194Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:47.405{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900193Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:47.405{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E9BB-60DD-582A-00000000C701}5060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900192Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:47.405{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E9BB-60DD-582A-00000000C701}5060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900191Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:47.405{B81B27B7-E9BB-60DD-582A-00000000C701}5060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015900190Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:47.076{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB63E262095F3C1F5195E8B5C56531DD,SHA256=7AF32690E663C51B7C2B2FC572A643FBB992A166162D3A805C1089CE908E3ECE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015900244Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:48.908{B81B27B7-E9BC-60DD-5A2A-00000000C701}26322584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900243Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:48.752{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E9BC-60DD-5A2A-00000000C701}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900242Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:48.752{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900241Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:48.752{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900240Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:48.752{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900239Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:48.752{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900238Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:48.752{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900237Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:48.752{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900236Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:48.752{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900235Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:48.752{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900234Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:48.752{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900233Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:48.752{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E9BC-60DD-5A2A-00000000C701}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900232Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:48.752{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E9BC-60DD-5A2A-00000000C701}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900231Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:48.752{B81B27B7-E9BC-60DD-5A2A-00000000C701}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015900230Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:48.564{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8EAACD93B76661F6C708D38A86CE529,SHA256=325CA97B7F9C600C90F9C2FBAA63DAC3C6CEC86CD900D40B027C2157284059F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015900229Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:48.220{B81B27B7-E9BC-60DD-592A-00000000C701}23845140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015900228Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:48.142{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EB6CA7E682597A26092AD1F01EC2476,SHA256=E94103A5E90B3E7BFD25FFC8AA5406D2839D5564EBDFB8C419184F2A1291FFE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015900227Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:48.080{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E9BC-60DD-592A-00000000C701}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900226Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:48.080{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900225Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:48.080{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900224Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:48.080{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900223Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:48.080{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900222Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:48.080{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900221Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:48.080{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900220Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:48.080{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900219Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:48.080{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900218Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:48.080{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900217Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:48.080{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E9BC-60DD-592A-00000000C701}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900216Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:48.080{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E9BC-60DD-592A-00000000C701}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900215Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:48.080{B81B27B7-E9BC-60DD-592A-00000000C701}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007994019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:49.347{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9258F759ACBDA385C53A6035D9EA879,SHA256=C73769D0430B42CC4496550F3D5D2C234D07FF48FA2D7544CD7F6BFD90705218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900259Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:49.752{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87AF6F7D90B0E25612E0BF15A31A1605,SHA256=93A71579B0E4DA02CB0FF4A298C5D83FBDBBD468A4E94E416BC62D36C5C2F0C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015900258Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:49.392{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E9BD-60DD-5B2A-00000000C701}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900257Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:49.392{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900256Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:49.392{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900255Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:49.392{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900254Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:49.392{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900253Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:49.392{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900252Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:49.392{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900251Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:49.392{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900250Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:49.392{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900249Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:49.392{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900248Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:49.392{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E9BD-60DD-5B2A-00000000C701}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900247Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:49.392{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E9BD-60DD-5B2A-00000000C701}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900246Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:49.394{B81B27B7-E9BD-60DD-5B2A-00000000C701}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015900245Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:49.158{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0E5FC6C29BC3B2C65F0231F6F21E808,SHA256=3CA101453B1F167B4AA643C792FD6548F6582871986CDFAF0756E3DA4C97A629,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:50.707{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2D8137F26AFCC629BF9D7C85AC2CF99,SHA256=E1DEBC9DDC93CB0BD50566DF09E43DE144202E1D54C0CBEA0A8EE5EA98685402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007994020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:50.035{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6655ADF6EEDCC7B5075074A46D696BCD,SHA256=8DF7EEA5961B72E61556815817FE996D23A1BF408C591870F8AF92798E0A07B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900261Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:50.158{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F9389C1828C81A1AF54F4CDBEF0CA6,SHA256=EFBD61A84B0512345A0921D75F24780DE483A00DF506A76859F725B6B6C274B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015900260Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:47.499{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52015-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900262Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:51.173{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=383E8F40A9F2EF20F4C1A54D2DC41CF5,SHA256=B1C1E32407E6CC746E9FC267A3CA0177AA2C5A1F4C304A14B900009AF4B63CC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900263Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:52.205{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C898BF8664790D75434BAE14D877BDD,SHA256=DF4A131DEFA1FE8541DE5B4E3F67DCE2ADCE533702C087E187D73797D303C4A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:53.409{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27D3F320F9889E9D636C77CB49D5EFB1,SHA256=1565FE48357A01ACDF067DE957841CA8D27E6388647F64DC6DDBEC6683570819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900264Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:53.220{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C217905522F7C881FDACD6AB55C28D18,SHA256=6347D6AD8181ED0945CEF5C416B317A68F09EE30FD487660A925C182DD4C1721,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007994023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:51.357{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62286-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900265Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:54.252{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF90DF1D0CD23E2B591727BF28BA630B,SHA256=D95A14FEEA4AFA88DE976F77A8037FCE99F57965E55AF1AB10872DEFA351A5CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:55.427{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B9C01353D6B6B4F44C70D6E08E1A60A,SHA256=A78A28BC1A0209762610A6F5D5D59821C419669D73FBACC2CE66D0C774B21453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900268Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:55.392{B81B27B7-880A-60DC-1000-00000000C701}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D4DC1672997A4827ADDD4E6C2E20E22C,SHA256=335BECFA78D3068BA7013D5D80507BBC3A85AE969957636742B40231F82E49D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015900267Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:53.389{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52016-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900266Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:55.283{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2DB0F50BB97C2BEF5740FADDBA003CB,SHA256=6DCE3A7C5ED47E3E21A3C5C1F34163D37FFE3E90A434F0245C4F0550D59CDB81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900269Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:56.298{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8426549499A8CED1440C780364E0F15,SHA256=2474022367C861B15C966FD8EACD619798A9E58C6F864C959F695DFCAC3AFB78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:57.177{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECA993186157149EFD16382987C9C4AA,SHA256=D18D8BAFFE54B7E3E9547DF658355FE0B0155A2E400CC8B25ECAFB779EE5FCD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900270Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:57.314{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7EB0DC9C821FB11E7B659245F878056,SHA256=9EB2B946E71B2CE442DF4D9FCBE27AC442CA3A87DA08C381CFE7B83EE67B371D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:58.553{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=268F858BB610B2DFA61FE48CF09F0D68,SHA256=25B7DCD489A771AD358F1BB800701362664225CF75DFEF86774E57E65277AED9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900271Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:58.330{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD66397DAEF1CAD0872D5EB1359FFAD6,SHA256=9A5490A263862BF420A4A5100D7EFF8154B93C61310AD68808CEBA32077C9879,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:59.912{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C18446964513E595FFBEEF4496C18BD6,SHA256=9D57EEA0EF188DF02457ED4BE6F6AEB7620A32B1DD3C16FA6B63CC004B302A3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007994027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:13:56.405{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62287-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900272Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:59.346{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD4CFCA912D7D63232A482EDAA241AC2,SHA256=2BAD0233532CFF437983FE0DE50305121CEC653902853E056BF4B84C2FACEE2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:00.599{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7D79C7B271434FBFFA4E29CD764216C,SHA256=1CB850C42B7DDB095F444CAF295377DE710C40482F21AF70A4A994BFA788F797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900274Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:00.360{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA7AD8BF431394012602C7A34FDDCA8E,SHA256=CE3D3805012DC93696898060E0A5A2F3A1CDE89C3AAE90D50EF9B8701D89DCF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015900273Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:13:58.437{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52017-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007994030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:01.287{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C3AF0ECA72B00857F5C6848157E49C,SHA256=73CDD80ED758E7B98C1E55588403AB6D4801DB37F544AA456C73BCD2F3D75977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900275Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:01.362{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4E6B55BEA60F21E1BE4A64ED541F28D,SHA256=D2D16197B1ED7CD2FFDF5C3BE7068B019A05D326843532B02A4852DD13A33941,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:02.646{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D492F846FEB2F1350EB8494754C9E25,SHA256=FE654D5AD59CCCE183A9F8FB67C75F4F749081ABF8E9A3D3112D6AB2D3D87644,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900276Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:02.378{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE31F0EC43C684811F78E397B078D5D,SHA256=EA8A71BE409B55365C8AB6789EA001C7BCCA99EEC42A6176BBE78E60F9BB4A34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900277Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:03.378{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF700A6D840B8B8C023D29BC0266ABDC,SHA256=1057A69B9516E492ECF47F6DCA9011CF71CA178999E93E3822EE8239F61E54C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:04.021{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB3750BA280DE672FEF51AA6A704F947,SHA256=D68391C2D9803706CB9C97C1C093559505D3482C0EA095F3098F07DCCCF927BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900278Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:04.393{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6B91510DC72D0212335084C4E306D98,SHA256=E1BFC14D2D1855E24FEC72CB5BE08F88867766D8F1D45CED1E92FE070EBB5A76,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:05.381{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6DE3961546403FE929FC83622EDD4B3,SHA256=402044C1594822F50846C281C912256E82C2331613C2A751646C9D8157B912ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007994033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:02.311{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62288-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900279Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:05.409{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E324B5F46056B7B431C2ED6F4DB4BDFB,SHA256=1A38870F9CD3C4521C5A9C7FEA2F739089426BD08C55F8D6D70ADB889481AA6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:06.740{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1C9BC8041534F0191388367CC09C5B1,SHA256=38196FE5AE12AFED3AB4BB5C75FC7AB0A6159209DC04B166E5E50FEA1A2CE5AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015900281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:04.469{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52018-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:06.425{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24675F43325E41D01EBB2D6561F78EF6,SHA256=11943891CAD567EAEADAC85E799D7A6A0EAFE1057453F80D428A6C8EC71E1802,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:07.440{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA90C5D1BA6BB3505E2B92E1872AAEE8,SHA256=0FFC9164B500AC35BCCB93867D3E48EDAEC31C4F6E3523A14FFF297AD0DFF525,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:08.108{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F94B928EDFF90C8177FD55BDC91B033C,SHA256=C19F8C28018C76540C691676B659046C1799BB2F6AB6C647D8F7F1A0B0B9BABA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:08.496{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5F405071D93C8087ED9202F59372E58,SHA256=C669C649EE56D8E6C18D8AF4900A18FC0FB0CBCED76738C7DFF50BFCA66216DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007994039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:07.335{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62289-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007994038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:09.467{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=479C77980F2E72CB7BEC8B5CCE4626B9,SHA256=25248B3A9AB4FDEE6E6606C54ECD03B39C1B8DE8D5A5689DF8AFEB6D8395BE1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007994037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:09.467{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=253F6BFA686FFDAAC235C9D5D01690D2,SHA256=80036D584B019E48CAC993E28CAEA41BE382A818AC394BCDA577E4B423DB5108,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:09.496{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D36F74958F8A5D699B048883C319411,SHA256=B2A34096273420A504118C36AA2FB30AF188354802F9B503BAEEB9F750C6974A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:10.842{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41A7B270D41E7365B76F2AA4F4B2622E,SHA256=E7E4A8FD331E3C76B808F16577714F5E4D3DC0D2ACE2195D4AFD95ADB7280C45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:10.512{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1AB1FCACAC91B2A38ED197FAED960BA,SHA256=EA639B34996D08660D6A52A479B83061E33530DD6CDCDCBE4CFE584A49A4D2A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:11.527{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983DCB8468B1B0A0ECFDADBE6BBC5614,SHA256=A9EE20E8FB72885E67C0E3F3B14809F94806A88AEC967337B2CDF61CD35CCAA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:12.202{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38BB046DFE60E73AF344A2FDE0C74EBF,SHA256=B3B92336B060B40AFD4242038E465B2083EDF0A602E85A42636ADB48789DCFD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015900288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:10.368{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52019-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:12.527{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=074EDE51B69F9B5025223D580A8AFDEF,SHA256=9E245F5AE0F68B1BBC263C8A4BAAC50B43EB9F5320534475E49C02C97DBBAC07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007994044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:10.804{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62290-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007994043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:10.804{3BF36828-DD1D-60DD-2F00-00000000C801}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62290-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x80000000000000007994042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:13.577{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C5C165826870146EB3F1986B318B71,SHA256=F45499D41A394F4F259A47AE583E84825A4A2D05BB30D5B04B47B0AA9AC6D4BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:13.543{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E85EF9743CA59996D013572ED3CDE15B,SHA256=53D94BE3B0EFE48CCADD98EF2D20FA1088FF891F4DC75898649605EB314E7DA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:14.936{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C3F626F1B6D07F7EB3A8438D82149CD,SHA256=897E5F2545B0FE7659744D1B6156F465106AD6F68DE649A2D4E11C0AE5B2027D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:14.559{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6FFF6D7105422CD4C51E61B62C1DD1A,SHA256=0DA5927940606A7EB61B3597FA7A54D7A37D3888A53ABE23B489DD1EFB3A8901,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007994073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:12.366{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62291-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000007994072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:15.170{3BF36828-E9D7-60DD-3102-00000000C801}1576C:\Windows\System32\taskhostw.exeC:\Windows\System32\wuautoappupdate.dll10.0.14393.4169 (rs1_release.210107-1130)wuautoappupdateMicrosoft® Windows® Operating SystemMicrosoft Corporationwuautoappupdate.dllMD5=F879DAB8991B7F956E27C391FFF7D650,SHA256=D62DA2FF321B406228D07F1BF3FC86ED91B1426334C4A0FE5A4B915F3A4083F5,IMPHASH=70E7795F577E22193FDFA9A5BBAF39B8trueMicrosoft WindowsValid 734700x80000000000000007994071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:15.170{3BF36828-E9D7-60DD-3102-00000000C801}1576C:\Windows\System32\taskhostw.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x80000000000000007994070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:15.170{3BF36828-E9D7-60DD-3102-00000000C801}1576C:\Windows\System32\taskhostw.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x80000000000000007994069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:15.155{3BF36828-E9D7-60DD-3102-00000000C801}1576C:\Windows\System32\taskhostw.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x80000000000000007994068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:15.155{3BF36828-E9D7-60DD-3102-00000000C801}1576C:\Windows\System32\taskhostw.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007994067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:15.155{3BF36828-E9D7-60DD-3102-00000000C801}1576C:\Windows\System32\taskhostw.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007994066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:15.155{3BF36828-E9D7-60DD-3102-00000000C801}1576C:\Windows\System32\taskhostw.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007994065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:15.155{3BF36828-E9D7-60DD-3102-00000000C801}1576C:\Windows\System32\taskhostw.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007994064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:15.155{3BF36828-E9D7-60DD-3102-00000000C801}1576C:\Windows\System32\taskhostw.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007994063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:15.155{3BF36828-E9D7-60DD-3102-00000000C801}1576C:\Windows\System32\taskhostw.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007994062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:15.155{3BF36828-E9D7-60DD-3102-00000000C801}1576C:\Windows\System32\taskhostw.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x80000000000000007994061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:15.155{3BF36828-E9D7-60DD-3102-00000000C801}1576C:\Windows\System32\taskhostw.exeC:\Windows\System32\taskhostw.exe10.0.14393.3297 (rs1_release_1.191001-1045)Host Process for Windows TasksMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskhostw.exeMD5=B5D41CD8E27C26DA82B11B277D233B04,SHA256=1876990EEBC99F0B0F66BEC435FE2810E450532E23E22427DA31A09802394461,IMPHASH=1CCD2E7A159E4500473733FB9D75028BtrueMicrosoft WindowsValid 734700x80000000000000007994060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:15.155{3BF36828-E9D7-60DD-3102-00000000C801}1576C:\Windows\System32\taskhostw.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007994059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:15.155{3BF36828-E9D7-60DD-3102-00000000C801}1576C:\Windows\System32\taskhostw.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007994058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:15.155{3BF36828-E9D7-60DD-3102-00000000C801}1576C:\Windows\System32\taskhostw.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007994057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:15.155{3BF36828-E9D7-60DD-3102-00000000C801}1576C:\Windows\System32\taskhostw.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007994056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:15.155{3BF36828-E9D7-60DD-3102-00000000C801}1576C:\Windows\System32\taskhostw.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007994055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:15.155{3BF36828-E9D7-60DD-3102-00000000C801}1576C:\Windows\System32\taskhostw.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007994054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:15.155{3BF36828-E9D7-60DD-3102-00000000C801}1576C:\Windows\System32\taskhostw.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007994053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:15.155{3BF36828-E9D7-60DD-3102-00000000C801}1576C:\Windows\System32\taskhostw.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007994052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:15.155{3BF36828-E9D7-60DD-3102-00000000C801}1576C:\Windows\System32\taskhostw.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007994051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:15.155{3BF36828-E9D7-60DD-3102-00000000C801}1576C:\Windows\System32\taskhostw.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007994050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:15.155{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:15.155{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:15.155{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:15.155{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:15.155{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015900291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:15.574{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FB6DB7024F5AC53C27194B5B0CCD0AD,SHA256=5DDE4BFD0241BAA63A1EE3AC3D819ECDF77704EE4B249BBEDAE53610B2F8EDA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:16.295{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0E6451938AB23CCC946098B6FEE9EB,SHA256=65D5A8DA8F081DF38A68A1A36B69EFA67DFE8C14DF0C6F6C2B053880A2A6B90D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:16.590{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8860F49652A11FF677B294D933C4BADC,SHA256=15979C86688BD53E8D54C09912F24729815FD2E8CABB3C4854DC8164C9D66B68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007994127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.795{3BF36828-E9D9-60DD-3202-00000000C801}51003640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007994126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.795{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007994125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.795{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007994124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.686{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007994123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.686{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007994122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.686{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007994121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.686{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007994120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007994119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.686{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007994118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.686{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007994117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.686{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007994116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.686{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007994115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.686{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007994114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007994113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007994112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007994111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007994110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007994109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007994108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007994107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007994106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007994105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007994104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007994103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007994102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007994101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007994100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007994099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007994098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007994097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007994096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007994095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 23542300x80000000000000007994094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4A1B1012F303AE8B482D99AF6998A2,SHA256=CEB6A38A900CBF2EB24959C47D476BE323382F1417F3EFF7B273892E391B5CF8,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007994093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007994092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007994091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007994090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007994089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007994088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007994087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007994086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007994085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007994084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007994083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x80000000000000007994082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007994077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.670{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007994076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.672{3BF36828-E9D9-60DD-3202-00000000C801}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000007994075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localT1042SetValue2021-07-01 16:14:17.514{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXEHKU\S-1-5-21-1166625382-1442148322-2337405042-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefileBinary Data 354300x800000000000000015900294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:15.399{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52020-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:17.605{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8525DD221DC2E6138DEE18A140C644E3,SHA256=8253C6170AAAAD52D49B615414AC23B9DE58DCCAE5816FCC3955EA36FAC755CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007994194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.889{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.889{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.889{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.889{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.889{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.889{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.889{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.889{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.889{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.889{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.889{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.889{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.889{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.889{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.889{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.889{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007994178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.467{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007994177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.467{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007994176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.467{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007994175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.358{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007994174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.358{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007994173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.358{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007994172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.358{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007994171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.358{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007994170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.358{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007994169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.358{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007994168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.358{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007994167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007994166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007994165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007994164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007994163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007994162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007994161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007994160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007994159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007994158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007994157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007994156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007994155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007994154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007994153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007994152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007994151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007994150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007994149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007994148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007994147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007994146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007994145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007994144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007994143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007994142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007994141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000007994140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007994139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007994138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007994137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007994136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007994135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x80000000000000007994134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007994129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.342{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007994128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:18.344{3BF36828-E9DA-60DD-3302-00000000C801}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015900295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:18.621{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17BA75586156645A011294C0B95A14E6,SHA256=41758FE18649D97765974D3FF3A753CCFE5EF157555FECE2C10F30E0E5C4DBB1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:19.749{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=423BF6DE184ADD427C5DC3C308752F03,SHA256=90D26296DFC6B416D79EAB78D1720A3CD718182B8846E8DE46E205C7EB714BAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007994196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:19.061{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=602D0DA7744CFFA5316E95496F3D7530,SHA256=19A58423F9E4416D4FADD8AACC85F87B6195AA9AD111247CCCD641A7E8EE3026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007994195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:19.061{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B730530A0E350CED4758791ED9B33AF2,SHA256=AACF509A144B0DAAF04A3A79802B198F86FF7F6FA2CD5D582831D982FA3CCD97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:19.637{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70E83AA318B3E1EEB80E138A01FD69D1,SHA256=AE4783DD0B77C5F9039BCDAFB1192F3C181A2F8340496034A6D1171102CE3F03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:20.420{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F32CE6222E92BFF9C0801D229D5D6F58,SHA256=49BD8CC641EB1A631C4443284DC19735EFB625DC3EC4476FC633315015708701,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007994198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:17.413{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62292-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:20.684{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76A045C2BA362C694AA0AE522583134E,SHA256=C00680BE772CC1A69A20D77FF9A4AF7BEEFEDEBFDE52DA9B4E5724B4EB850D48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:21.108{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8367FD1BDFDA52E8F71EA17C82FFF3CF,SHA256=6B46E47955DA82A0505D2DFCAC46F27B77E0B720C04B988E4E8FEE3835C2E8BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007994200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:21.077{3BF36828-DD1D-60DD-3000-00000000C801}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:21.715{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21BBCEF43C03887658478D3304C23A19,SHA256=3851A1BCC307FC8A5654DD3578F3308C4661F9AB7CF6E01E66BDDC47B813E74D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:22.592{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93807D6D3CA972C9D092F812521F444A,SHA256=D817F4941C88C3968591E05DFC69342927D13890C4886E3291918A52264E8780,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:22.715{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7AEED25342ED3ABDEE21923EA2B0E04,SHA256=CA77F63A3138E89FBFCA64AB73F3156F566BD3D814FC5F5DF056E59A12346866,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007994203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:20.256{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62293-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015900301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:23.730{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5503D75A4E2BE75FB7B5A95BB0F3EF,SHA256=385DC0935E1FD471A904A778856DC1959DAB3B13982E4ADAEBD386BD95E6A8A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015900300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:20.462{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52021-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007994204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:24.608{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24BB92AD830B96B12D9F5BE000C0152D,SHA256=19388A39D19E3C362FD6FFEE36C13D614457092A3530C1D04496B5DAF4FA0B78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:24.746{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46B5949D0F1EB24E5BB55F7B226C18E1,SHA256=029B021ACAF3334F9D8140C223A18A87359622C8081D457E49963E8EA8D60DF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007994260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.655{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007994259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.655{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007994258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.655{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007994257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.545{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007994256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.545{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007994255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.545{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007994254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.545{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007994253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.545{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007994252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.545{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007994251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.545{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007994250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.545{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007994249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007994248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007994247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007994246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007994245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007994244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007994243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007994242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007994241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007994240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007994239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007994238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007994237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007994236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007994235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007994234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007994233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007994232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007994231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007994230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007994229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007994228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007994227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007994226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007994225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007994224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007994223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007994222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007994221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007994220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007994219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007994218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x80000000000000007994217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007994216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007994215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007994214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007994213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x80000000000000007994212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007994207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.530{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007994206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:25.532{3BF36828-E9E1-60DD-3402-00000000C801}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007994205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:22.413{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62294-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:25.777{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AEF1C32B5013CA0B6DDB9F7E68EF2E4,SHA256=93C6472631736B58F3007349147566FEA633A685C7040FA657F986CEF2C409F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007994359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.936{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007994358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.936{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007994357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.936{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007994356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.936{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007994355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.936{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007994354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.936{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007994353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.936{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007994352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.936{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007994351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007994350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007994349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007994348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007994347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007994346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007994345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007994344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007994343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007994342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007994341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007994340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007994339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007994338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007994337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007994336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007994335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007994334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007994333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007994332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007994331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007994330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007994329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007994328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007994327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007994326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007994325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007994324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007994323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007994322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007994321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007994320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007994319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007994314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.920{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007994313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.922{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007994312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.358{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007994311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.358{3BF36828-E9E2-60DD-3502-00000000C801}34201132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007994310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.358{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007994309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.358{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007994308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.249{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007994307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.249{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007994306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.249{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007994305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.249{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007994304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.249{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007994303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.249{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007994302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.249{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007994301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.249{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007994300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007994299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 23542300x80000000000000007994298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB6DB4199F11FE227E66E00F99DB02F5,SHA256=313244DB5F43673875F59589AEA47EBF945DE41F3C6429B825B1E77FC3B8105F,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007994297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007994296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007994295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007994294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007994293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007994292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007994291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007994290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007994289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007994288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007994287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007994286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007994285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007994284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007994283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007994282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007994281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007994280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007994279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007994278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007994277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007994276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007994275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007994274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007994273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007994272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007994271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007994270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007994269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007994268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007994267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007994262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.233{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007994261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:26.235{3BF36828-E9E2-60DD-3502-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015900304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:26.809{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB13C8C4BDCA00BF94705375EA2A9336,SHA256=ABA7E92979B3D0879C41EEB186A0E4CF86207A2EC3B9BF80829094DCB6B33C24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007994416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.749{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007994415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.749{3BF36828-E9E3-60DD-3702-00000000C801}34561224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007994414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.733{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007994413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.733{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007994412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.624{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007994411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.624{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007994410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.624{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007994409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.624{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007994408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.624{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007994407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.624{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007994406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.624{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007994405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.624{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x80000000000000007994404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=454B1C10DF3896523FF1230BF79A5AE0,SHA256=A63FE3B717C4F314F211C028159722540ECE7D4FEA42CFB53379EFB18BBE1BE5,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007994403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007994402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007994401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007994400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007994399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007994398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007994397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007994396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007994395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007994394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007994393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007994392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007994391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007994390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007994389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007994388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007994387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007994386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007994385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007994384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007994383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007994382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007994381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007994380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007994379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007994378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007994377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007994376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007994375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007994374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007994373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007994372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007994371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x80000000000000007994370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007994365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.608{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007994364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.610{3BF36828-E9E3-60DD-3702-00000000C801}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007994363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.045{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007994362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.045{3BF36828-E9E2-60DD-3602-00000000C801}20402632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007994361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.045{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007994360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:27.045{3BF36828-E9E2-60DD-3602-00000000C801}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000015900306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:27.840{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1C1E0548FC85373F62E4507D3BCA973,SHA256=3402CC49DBD0874C4563C01A615D06749AA25166724E41F4886FAD2F52AED46F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015900305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:25.493{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52022-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000007994468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.421{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007994467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.405{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007994466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.405{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007994465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.296{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007994464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.296{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007994463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.296{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007994462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.296{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007994461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.296{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007994460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.296{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007994459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.296{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007994458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007994457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007994456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007994455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007994454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007994453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007994452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007994451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000007994450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007994449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007994448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 23542300x80000000000000007994447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCB1C87B6187FD9A9A0DFED8A0C8F00A,SHA256=E6821DAE0E156E5056A0A377D39FB3E18899C63B7CD26E89452C36B652B26635,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007994446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007994445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007994444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007994443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007994442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007994441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007994440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007994439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007994438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007994437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007994436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007994435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007994434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007994433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007994432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007994431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007994430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007994429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007994428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007994427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007994426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007994425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007994424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x80000000000000007994423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007994418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.280{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007994417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.282{3BF36828-E9E4-60DD-3802-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015900308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:28.871{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA57149197198F8383F14B745B8202B7,SHA256=7500103E5DD26C2F715865915E390B813316ED2584BA80842E9C2E1DDBFDBCBF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:28.606{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:29.718{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F51BBFC753997E47D35F8610BDE479A3,SHA256=7C7412CEAFDD951B8265526918D00DCB997C87C1B810E015E41B9411919166F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007994469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:29.030{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B01243604BFBC70B81393B417209717D,SHA256=C7BC3C9F7BEA888C0D2F64DC1087BFFDE588D15CBC3569B5065A671969A500B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:29.871{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A42CC7E3774DA3CEE1DD85D2037AEBC,SHA256=A169FDCEB085A38FAA6987CEE1AC24623D4EB8ED69FEB5189A929CE5B17ADE52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:30.468{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DE6BE8599E71DBC8A919C4BDABA066B,SHA256=437C31CCA55C42CDBDEBF40A609C521FAD55B633A1667E1292E816C341BF035A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:30.871{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79E4BACACB72E4633DA04AC4B8DB3ECE,SHA256=D1CCB85CC00ED9E2B3C561960DE1EC54217FF473D30B964B43DC6D655E7CA91A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015900310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:27.900{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52023-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000007994474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:31.952{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E88300C3481D81ED369B2B486B850119,SHA256=EC51CF504DFAD67D1CA796EDB604205ED4F91D3529F38FA0F7EA2B73D8278CC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007994473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:31.952{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0437AB3E42556B32F5DDE5ACF9A02C7,SHA256=F3FFFF5219376F037B35F2C98073ACF4AF8DAB5F49196FDF82986948F4B06410,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007994472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:28.257{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62295-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:31.887{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD98F57953D7D69C181CBEAA994E4FE3,SHA256=DBCF74D384755DEB0AF30BD6724044E33F0D5CDDCE69C9B27168D637278858DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:32.903{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F01D434A03C7FB4EA038A8FDF1228C,SHA256=B9A44877A099EDA8E2618410649AFD376A82ACEE7C6F99B2124DBE4420728C2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015900313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:30.525{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52024-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007994475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:33.374{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A84580DB6C7B8D4399D1D94CD3BF42E2,SHA256=FB0C897E14E91F520282473E9DB5BB2FBAFC36E3C341C83D51EF2BC34F1B7236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:33.934{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E75C73C3653A104DEACCB76ED74CC742,SHA256=94383FE5C9B002F85B1FCC7EC7672875BE6D7DF0996F24227446E286632B3602,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:34.749{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD6C7D4533DCC0D4D67655A2EFB3C82,SHA256=4987AC08B364DAD870C696EABA7F92135951807CA92369346C77C28BE6EC33FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:34.949{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58930974FA15A7594F0B9E542E2910CE,SHA256=1583A484AF7A5136953E58A8FF6C176A17F4FC390FB40AC83E511564037F7523,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:35.981{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EE6C1F2B0965CF855C035604C828BB7,SHA256=CB736367116F96119DC93A6D0E891099B99A258E5C4EC61378330484996BC6E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007994478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:33.366{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62296-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007994477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:36.108{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D00322EADF54D435D66B801488BE40B7,SHA256=7427C44B4102649CB9EE5EB83BBC98DB9783669FDE287814EC1D203D02BA15DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007994479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:37.483{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D716AB1CCD586959067A64E0D2F5513,SHA256=59A323018F8D26D075B8B2DDE25E705B02ACB5EBD98F1F1EAA51C0198A106C8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:37.028{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB3B80724315FADD74B5CEAA8ADB2BDC,SHA256=4B37B44F0AA51C547CAFBB19C32625E105CF280385B0E2DA55C029BFA924ACD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:38.858{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7682813F786E17AD4B7F9763A6B4C77,SHA256=18BFAC2B0FD5A8D5C73105B5D3BC6D24498EB3519406E0E598DA485A6341ABA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015900320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:36.525{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52025-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:38.074{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7A47278B29A66404AAA26387FB9AA3F,SHA256=9CE7E070218738EC2EC28564E3D1A982331B575EF127B12FA54034849E49D050,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:39.074{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9010B11792D0E87855E5E167D1C023F0,SHA256=7E5CF8DBDF474E0891A5D5B3CDB32FDAD6B5B62B0266C1DE3A1C8C01404D1282,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:40.905{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F562A941158219B10BE929FBC6DA590F,SHA256=15AC532EB302E98F5CFA31B308E001901BB5ED7A03F7A349AB9B6C4AF4DA84B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007994482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:38.429{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62297-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007994481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:40.233{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D11BDE5DA9C65B061ACAD26DA6597DA,SHA256=D031BDE212E927DA8AC8EAD62B5C32A887C540A37188834D63C449E4EC884E2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:40.090{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=671C123E0604C3AE70975A01B5128F21,SHA256=3CECF3035F4D82A73C19FB42FD73E8CBA1D23C84495B3FB380368019295313CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:41.593{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=170D83837A982EC432A63A92AB0CE282,SHA256=A0B3399B6A74C45675B10B8264F73C8B06776DDE458ED2ACD6AD739A878114E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:41.090{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7DDFA0C81B2148A477D27637FAF4F28,SHA256=017C772C893854011DD45446FB4079576BD68C9335C126E4D927085738D520DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:42.968{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61E3D6691E024705A9179C907F312E62,SHA256=B195A65138863B47121650FA1BB0D032D0D1793930F65345EC666F00C1AC9CD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007994485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:42.452{3BF36828-DD0D-60DD-1200-00000000C801}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0677AA0898C50D3211F1E280A3234D82,SHA256=FBE49D9F0C5239C781A45A4FDC3E08F36851C15958D99ECA30BFD42E846BDFC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015900337Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:42.715{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E9F2-60DD-5C2A-00000000C701}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900336Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:42.715{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900335Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:42.715{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900334Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:42.715{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900333Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:42.715{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900332Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:42.715{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900331Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:42.715{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900330Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:42.715{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900329Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:42.715{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900328Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:42.715{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900327Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:42.715{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-E9F2-60DD-5C2A-00000000C701}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900326Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:42.715{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E9F2-60DD-5C2A-00000000C701}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900325Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:42.716{B81B27B7-E9F2-60DD-5C2A-00000000C701}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015900324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:42.153{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75A38971C9B2A20D1159E3877E4DD1EA,SHA256=227E1F80EA920F23E1D4359B0F2E1C185C56510B3868DB0A249FBFBE09B02A41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015900355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:41.572{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52026-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:43.731{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B53EA0B156F4FB4773601F1B218FB61B,SHA256=8A78635D6555E2AEF2818716869E814DF6B6BB4A48C17513D401462FE432FAE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:43.731{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD6BD52D3F7D12603FD7EE6462CAA303,SHA256=991C11FF34738E1532394D25CFC6AB5C31DDF6CD5E65A090FEA82B3326BCC9B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015900352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:43.512{B81B27B7-E9F3-60DD-5D2A-00000000C701}48565280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:43.371{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E9F3-60DD-5D2A-00000000C701}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:43.371{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:43.371{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:43.371{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:43.371{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:43.371{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:43.371{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:43.371{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:43.371{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:43.371{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:43.371{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E9F3-60DD-5D2A-00000000C701}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:43.371{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E9F3-60DD-5D2A-00000000C701}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900339Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:43.373{B81B27B7-E9F3-60DD-5D2A-00000000C701}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015900338Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:43.199{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B85C5A78BD7CEBEDF6D2273E5E205760,SHA256=F9FA7FA0C36ED94D73571F15D93CE7D4F7A9B2153BEA369C874F99D654270382,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:44.343{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFA74EB3ED6B192102EF43F121BA7C65,SHA256=ABC6B4F65DC9F86A8569C22C29F0EC6E5E9E547BE6B4054AA75AB8362CDAA60B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:44.996{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B53EA0B156F4FB4773601F1B218FB61B,SHA256=8A78635D6555E2AEF2818716869E814DF6B6BB4A48C17513D401462FE432FAE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:44.293{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D10E8BECE68EC8EFB1547F16D0248B5C,SHA256=B4FAC91954820148FD11E8F53FE9EF66A832E32D1BC957424992CF88492E63EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015900368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:43.996{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E9F3-60DD-5E2A-00000000C701}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:43.996{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:43.996{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:43.996{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:43.996{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:43.996{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:43.996{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:43.996{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:43.996{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:43.996{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:43.996{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E9F3-60DD-5E2A-00000000C701}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:43.996{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E9F3-60DD-5E2A-00000000C701}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:43.997{B81B27B7-E9F3-60DD-5E2A-00000000C701}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007994488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:45.702{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90D0E7A02FE852C56F776699ACD721F9,SHA256=1CE8CD0EA3B6768233DB9FCAE059233934824FD5C8B4502F68A28EDA37B6C131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:45.309{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB8E7DC438DABFC2019318764203C83,SHA256=4448B5B63CF95452601AC0CBF1DA8A6E66B97D348FFAB20FEF6012B1414B5E77,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:46.310{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316665888315B6BDD9458DD9F846CBD6,SHA256=7BC53362522F8DFB0126538EB7AA4518530B91DFBCBB5BEA1DC9BD59E6629F75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007994490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:44.319{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62298-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007994489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:47.062{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F0061C72B51A3CD7B497DE8A45D90D0,SHA256=DCF48315798CFF0AE4F327D1E7142D2FD1D1E83C9E8B5A685E7E88E9F3A04833,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015900387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:47.544{B81B27B7-E9F7-60DD-5F2A-00000000C701}25403648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:47.404{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E9F7-60DD-5F2A-00000000C701}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:47.404{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:47.404{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:47.404{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:47.404{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900381Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:47.404{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900380Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:47.404{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900379Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:47.404{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900378Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:47.404{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900377Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:47.404{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900376Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:47.404{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E9F7-60DD-5F2A-00000000C701}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900375Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:47.404{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E9F7-60DD-5F2A-00000000C701}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900374Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:47.404{B81B27B7-E9F7-60DD-5F2A-00000000C701}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015900373Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:47.341{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5CFBA2B0D4973537AE2FB00CC094D0F,SHA256=A0CCBAAB696355EE10AB0D20AEE8D7BB0F8CE3670CD1F44DFC7FCDED8F65D4CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:48.424{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78AC384B81E38E92903298381BDEDA82,SHA256=E0B9D83E0D80170E8DBF4A0ED161AA809D5F8135EC8930E77B04E4112AC700E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015900417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:46.573{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52027-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:48.843{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F3BACBCF7E3EB4696008DCD821B6821,SHA256=45B62DCB12454A3D556E9A35F290D9B0D809E70A0244D0FE87A5514177DC4D45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900415Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:48.843{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B91B56D964F8F383AA535792F4708B13,SHA256=371EF4623AE37E20E558463B508DCC7667B77E851E8EEC15897E944E586C4E20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015900414Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:48.749{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E9F8-60DD-612A-00000000C701}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900413Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:48.749{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900412Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:48.749{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900411Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:48.749{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900410Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:48.749{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900409Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:48.749{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900408Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:48.749{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900407Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:48.749{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900406Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:48.749{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900405Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:48.749{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900404Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:48.749{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E9F8-60DD-612A-00000000C701}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900403Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:48.749{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E9F8-60DD-612A-00000000C701}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900402Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:48.750{B81B27B7-E9F8-60DD-612A-00000000C701}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000015900401Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:48.218{B81B27B7-E9F8-60DD-602A-00000000C701}27285040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900400Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:48.077{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E9F8-60DD-602A-00000000C701}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900399Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:48.077{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900398Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:48.077{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900397Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:48.077{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900396Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:48.077{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900395Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:48.077{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:48.077{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:48.077{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:48.077{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:48.077{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:48.077{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-E9F8-60DD-602A-00000000C701}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:48.077{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E9F8-60DD-602A-00000000C701}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:48.078{B81B27B7-E9F8-60DD-602A-00000000C701}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007994492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:49.798{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E7338FDBC2FF91F44A16000E3CF5F41,SHA256=638810274E5F66F62DF1B37AE702626A3F12CE021FB9D601DAD2538124FAB4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:49.968{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60CC2C83A10C076CD6450A2FEF62EC9E,SHA256=DF217CF20421C43D1C062CC6B2CA2549FD9DBDA42F54B54002F8B608D1405804,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:49.765{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=005ED7961C813D2E4EB651FE8D6D8248,SHA256=29F9D10D4D62F153C085BA5D65294F004239382A910915B39B5F96FA7FDC400E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015900431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:49.561{B81B27B7-E9F9-60DD-622A-00000000C701}36605396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:49.421{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-E9F9-60DD-622A-00000000C701}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:49.421{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:49.421{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:49.421{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:49.421{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:49.421{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:49.421{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:49.421{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:49.421{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:49.421{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:49.421{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-E9F9-60DD-622A-00000000C701}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:49.421{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-E9F9-60DD-622A-00000000C701}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:49.421{B81B27B7-E9F9-60DD-622A-00000000C701}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007994493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:50.470{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E37341E6D1A3FABF0D59F8CB1F996891,SHA256=653ECB850E17A6FB77E2270456C1875F29865D9AB881D92B9F96E6B99775E380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:50.796{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D57224C57145E1B72E045937D91779B8,SHA256=7896275BEEFDBD190F38913CC1CD017AFCCCD28C3533B6757126D6CF65CB8642,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:51.158{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=576560C5CA12111A2273C28573D3ACAC,SHA256=1F635B16D0CB3C6AD805C62ECA66D5478987AEA761833B7DD70803E49A09BD52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:51.811{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98253C01303D98172AF691F295BCCC02,SHA256=F5B6FF2B2EDD13A45302C3E55D81D3006BFD317A360C9E82CD8AF2F958D33E64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:52.533{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7B4D897CAA233C238D59963BEECA01E,SHA256=441F12F7F81AEC11C957EF036B85C84FA14A55FBB6032861DAB91F3724E7ABE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007994495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:49.415{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62299-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:52.827{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=455245851F9201D95AB87378238D0B68,SHA256=5FE032A9662BF64F1D0B0E8C35372A8612196E889F5653B51DA26119AD8C4B6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:53.894{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68975ABF14D9ABA3EA7247B27DDA1C47,SHA256=8E3BEA7E73BA95614B3D9E56B33D143ED994A05F019B26B1BF50030525F5AF33,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000007994497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:14:53.659{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d76e94-0x39ea6a62) 23542300x800000000000000015900437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:53.843{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09CA2A0234DB93C7F6CCC5ACD2EFFCF8,SHA256=15BCA8F60A653CF86A29DBAFBF885347339C9050D0341537BD62BF4191EEA027,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015900439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:52.433{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52028-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:54.858{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F9513442AC359CD68287EABE6377D5,SHA256=4ABB370634FE010B1E8E43AC46DA018E8726677E58A6481BC6ACED21AA23CECA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:55.909{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB428A158E303D4414AD47B612015273,SHA256=9555F098883642A4633B565D88FE2979AB22F404BDD78E2D90299A56B57313E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:55.889{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE6DAF0686856CCD3C509BAB0AC6AF91,SHA256=7B6AA682B2E532995ED24D3EFB8BD0B0B4200456DE36202231A743E96A67B731,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:55.405{B81B27B7-880A-60DC-1000-00000000C701}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B9E5D67DDF1851F8A427BE5B6D8B7258,SHA256=6A02A4235F6537C7A4C358E49AACF99790167AB530C29081905825728820D15A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:56.925{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05623C91CF62951B23085689B59B939C,SHA256=65CA55B0ACC96D379756079730E589D17DC9BC67608E969E07579D06899EA457,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:56.983{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8DEFBF586AE8F6C9F54CC67A30182C3,SHA256=F03CFE3CF5C434B5683FAD4B85DEE8BD38293DB9C68B4C3EEBB8B895DD26C80E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:57.987{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3CDDF59A30557B1FAE3069BEC1D852F,SHA256=19864F5ECFEB3CCC54BC2752706FD5C627FE6511D62CCD4F700D9B7252DB4AB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015900443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:57.530{B81B27B7-880A-60DC-0D00-00000000C701}7964036C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1600-00000000C701}1208C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007994502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:55.244{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62300-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:57.999{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9664B06B07992A6B06681BF78B64545D,SHA256=9CD051D835DE392EAB1C85A6B42DC435C7DE89E5488D8F2069CD867A4FF481C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:59.362{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7DC7C6AA7265F2815D57865F3216A4D,SHA256=F46B5D9ABE038FC34EA8746CF61226180B0929718E09A8C090E38D7E6EAB6665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:59.014{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0FE9B69835855C08ECF26CC55679F80,SHA256=E3F862EF2733897FD35EF0BCFC79F63D723FBC11FF5A40EC81C8D4A0FF603587,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:00.716{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCA5A12519E82883BA31215CEF407200,SHA256=4677AA76D69C046B70640413843CF9064C114EB5B47A92F64C81F7D5C3EF22C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:00.046{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A28403B2012AB8FE92CA5CE65723804,SHA256=F955728B87D307C96F4855F7FE55A745430DC25E31A3C2B7FEEBB1E077DAAE9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015900446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:14:57.496{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52029-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007994505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:01.404{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C2D54754D318FBE511AE0D1469B478A,SHA256=9AB3D0ADABC11D91881D455AD0D8F25AED8E7E2409BEA0BFFE9EFFE93EDC6892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:01.059{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=192EA44675C21D715EC3D47AFB305AB0,SHA256=286C30455941BA86D6C23E1E8AFE06B67E2C53B01F60DF18DFA1EE7746EBA755,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007994510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:59.815{3BF36828-DD1E-60DD-4000-00000000C801}3628C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62304-false169.254.169.254-80http 354300x80000000000000007994509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:59.720{3BF36828-DD1E-60DD-4000-00000000C801}3628C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62303-false169.254.169.254-80http 354300x80000000000000007994508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:59.668{3BF36828-DD1E-60DD-4000-00000000C801}3628C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62302-false169.254.169.254-80http 354300x80000000000000007994507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:14:59.667{3BF36828-DD1E-60DD-4000-00000000C801}3628C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62301-false169.254.169.254-80http 23542300x80000000000000007994506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:02.092{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51A52756EDAB5F845655DF1B01A7D643,SHA256=BACA68BEB2CC369253607379D5C11AFD8889DB5AF5D20E0DA8B2628B8CECBAAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:02.093{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C389FE04401EC29003FBA047C612A26,SHA256=533EA2B9DF6001C475968959D505CAB022E920B2C019B2C71E5B165FC9FAC4B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:03.452{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5BC5CD23FFEDEC5A3E0DA388F48C3CF,SHA256=9E0BB685B77047FEA4ECE4E76C1C5C18C77AF25B36AB01715B43C529EA219D7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:03.155{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15AF8AB87EA6A228D913883AE8A405D6,SHA256=98EEDEF73BC1F451937387CBC734A9948BED394F8FA2C1818F96CBA6010D1C1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:04.811{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69327C5C3B590DBC5A2AEDDE6376E08,SHA256=3ED0D2E498F3980249D3685ECF5D48441F6CFB75B58AA8FEEC5204109AD2C497,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007994512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:01.271{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62305-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:04.171{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0096AA674458DB2AF0DB276152417E68,SHA256=F435A9E9CA94E8E4F0214D3426020B675BF4B455CD0F36E1E0D16AE3B64D62A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015900453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:02.543{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52030-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:05.218{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1C43C543963BF00AE7183BB0B597BC4,SHA256=F2263455BA0F55DB3A72175437B4DE5524C73D268C6D49B6E778D0BC8D443688,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:06.186{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B50F1623C7EA867A932BB621D248D277,SHA256=E30400C64E5F10934BBDBDF138F04D0E31B7EEA9B7F2F528884E1F94FB9DA57A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:06.234{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E710371C5D35BA1CD73BDBDCAD42B483,SHA256=C4B25DD67ED17019E4B4CF8EAAE03F48043189BAAB4AA83AB0CA2EBAD4CC5AA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:07.546{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09C27AA09D71C64BB3552BE98541DACB,SHA256=43642CAC6CE6CD3A2A4EA4F0DC878D2562A9AFE134823CE8EFF48327B7FEDCEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:07.280{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8902A213258EB52295E3DB4BE2B23B,SHA256=1F1BFE5E6148789C448C88D3787BC18A0C61D99015EE6E0FC40028AD053B7B65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:08.907{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55D6551BABEBE737E252C58E01444A20,SHA256=69B57B17EEA516BDAA6A7CDE9F20F6569170ED72117DA715FB4554F3FCBC0588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:08.295{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C56E22C2D3D86C2357AC2073C6E96791,SHA256=453825ADDC12A0F399FC5258B046E34458E3DE713B9A742637DA8763CA4EE496,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007994517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:07.304{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62306-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:09.310{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAD2E6280ED656398BDC47755C433115,SHA256=240C1AA5A1A4518F8F4927EE4700125F02168A01547A2D9F5C1EC20C53E698D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:10.282{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50E37763917C965267D92941DD97DEAE,SHA256=E4B412EF95E33E5720C38D92183C38D7003336A983ABECA5A2C5DC168BFEA58E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007994518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:10.282{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3592396D71CBE2E4E349A844943D9925,SHA256=0085BB83088D0FC0D3AC8C0692F8FC324B32D0F1CDB1D9A6C6755D10CC91BC1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015900459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:08.370{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52031-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:10.342{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E137E216BEEFE4229143D1403804E0E,SHA256=086AE065F65390B37CDFBF23D053392B5E39B4E13868F749851DD04E687F6003,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:11.642{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F29CD302BAF789C3CC1612E6742990B5,SHA256=FECBE6898B76802D443EA7A89052E3930BF5C438D5D9FA587AA558DB89A60613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:11.357{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71C66437E34B53652B72CB363E7F5D1,SHA256=90665B713D65DF03EB9F69708BB301BA10F77FDBA24208F0DC1D664E990E630E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:12.388{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7555A4CF875D720BC510E1554F4E87C6,SHA256=D99BFBA9F2C42CF3E909379122103BADCE3179B88FB60CEB1BB7F8E3DD2A6F5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007994525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:13.938{3BF36828-DD0D-60DD-0D00-00000000C801}9244328C:\Windows\system32\svchost.exe{3BF36828-E8A9-60DD-F801-00000000C801}4756C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:13.938{3BF36828-DD0D-60DD-0D00-00000000C801}9244328C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1000-00000000C801}372C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007994523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:10.804{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62307-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007994522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:10.804{3BF36828-DD1D-60DD-2F00-00000000C801}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62307-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x80000000000000007994521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:13.001{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=233633F90FEBAF076929F0F859AF5470,SHA256=01C9732580E60A91BE8AFBF8752795EF6EAE3DF5B846C7F2E391ECA88AA59538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:13.404{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DBC1873845DA6387594DE521C5C9724,SHA256=9A385CDF45831E83EC615B5A66B040CE5BE3026980E51469EBAC8BE478C75CD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007994527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:12.382{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62308-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007994526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:14.376{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DB0BA1812326374140AFCE4AA04C1F8,SHA256=FB5AA2D2270E010E7B90F4FAEA7C07B14812713BE7374FDC071E48F1A570D4AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:14.451{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A634AF68E2B06C882DCA057E8298EF19,SHA256=3019B2C954C1B96767262D8411604AC66A012833EBD4906A436B859153601EA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:15.735{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2D1734F09BC5FC9E036CBEA06F8428A,SHA256=83981723BC60B1B3A1C2E7E8B5877505F284F65BBCD9DC1E3B345E5E78C85246,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007994534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:15.095{3BF36828-DD0D-60DD-0D00-00000000C801}9244328C:\Windows\system32\svchost.exe{3BF36828-E8AA-60DD-FB01-00000000C801}2248C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:15.095{3BF36828-DD0D-60DD-0D00-00000000C801}9244328C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1200-00000000C801}396C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:15.095{3BF36828-DD0D-60DD-0D00-00000000C801}9244328C:\Windows\system32\svchost.exe{3BF36828-DD0C-60DD-0C00-00000000C801}864C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:15.095{3BF36828-DD0D-60DD-0D00-00000000C801}9244328C:\Windows\system32\svchost.exe{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:15.095{3BF36828-DD0D-60DD-0D00-00000000C801}9244328C:\Windows\system32\svchost.exe{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:15.095{3BF36828-DD0D-60DD-0D00-00000000C801}9244328C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:15.095{3BF36828-DD0D-60DD-0D00-00000000C801}9244328C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015900464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:15.513{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD4E7F6D712CC24D27AB26D78EBB4FBB,SHA256=0F08D1879024312F666E24E0D14AED4CCCBD981F46C7BAC7FE71A25EA4DAE9A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015900466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:14.386{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52032-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:16.545{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2F62F604235930E6F59E89072643754,SHA256=2DB96A7A3BC7FE61C5D7BF1F12B58C81EE10FCE42421550B99D476C610185861,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007994587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.923{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007994586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.923{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007994585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.923{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007994584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.813{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007994583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.813{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007994582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.813{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007994581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.813{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007994580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.813{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007994579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.813{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007994578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.813{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007994577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.813{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007994576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007994575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007994574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007994573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007994572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007994571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007994570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007994569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007994568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007994567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007994566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007994565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007994564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007994563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007994562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007994561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007994560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007994559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007994558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007994557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007994556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007994555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007994554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007994553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007994552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000007994551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007994550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007994549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007994548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007994547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007994546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007994545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007994544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x80000000000000007994543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007994538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.798{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007994537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.799{3BF36828-EA15-60DD-3902-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007994536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:17.110{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DCBD771C0EC30DCF3D1800B810EA3A5,SHA256=88AAD480B92316766BD1C9685DCEF3A5A08D1161903674FA701E3481E70E2665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:17.560{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC0AAE158FBD3EA2B02E7EA751537BFD,SHA256=53BE5075F7F302A8FC1CACBCD276C5AC5F0C8323F3E7AD63C2BAF4119B433C47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007994640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.735{3BF36828-DD0D-60DD-0D00-00000000C801}9244328C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.626{3BF36828-EA16-60DD-3A02-00000000C801}45882904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007994638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.626{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007994637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.626{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007994636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.517{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007994635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.517{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007994634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.517{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007994633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.517{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007994632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.517{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007994631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.517{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007994630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.517{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007994629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.517{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007994628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.517{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007994627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007994626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007994625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007994624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007994623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007994622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007994621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007994620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007994619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007994618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007994617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007994616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007994615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007994614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007994613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007994612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 23542300x80000000000000007994611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=658DB07AF72A4C9148A30843EA50838A,SHA256=B0159CBCBC6988B0868A6B85620E327E3FD67FB7F53361746F986087B89507C1,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007994610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007994609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007994608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007994607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007994606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007994605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007994604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007994603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007994602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007994601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007994600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007994599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007994598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007994597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007994596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007994595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x80000000000000007994594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007994589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.501{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007994588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.503{3BF36828-EA16-60DD-3A02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015900468Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:18.560{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F6955224BC9B2AC447E78036E57790,SHA256=3420299A037938152F56E5F04CA3F790850094457E6463C6CBEF70F8890204EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:19.860{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A1D28B999CFF79A7C85DB16BC2E589,SHA256=BA89C3F7BB7C1D98B0819B7A58D62928730E06934CC8684DCDAAE2FD275C231D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000007994644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:15:19.688{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\D370F6FF-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_D370F6FF-0000-0000-0000-100000000000.XML 13241300x80000000000000007994643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:15:19.688{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CA735696-6C26-4910-BF98-1B50C97DCBCC\Config SourceDWORD (0x00000001) 13241300x80000000000000007994642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:15:19.688{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CA735696-6C26-4910-BF98-1B50C97DCBCC\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_CA735696-6C26-4910-BF98-1B50C97DCBCC.XML 23542300x80000000000000007994641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:19.173{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=202ECC23F191BD812C4605004C534DC2,SHA256=9288C65B860181D17D4D4BE21720A519858949CF98724BC12382BCA903863439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900469Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:19.576{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC1ED728A228896CFED328559D2CAA6,SHA256=4A9306454840D51E461BED16CD556AAD420CEADCCCD3D34856C071A4426F01C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007994652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.900{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62312-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000007994651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.900{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62312-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000007994650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.895{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62311-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000007994649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.895{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62311-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000007994648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.883{3BF36828-DD0D-60DD-0D00-00000000C801}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62310-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 354300x80000000000000007994647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.883{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62310-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 354300x80000000000000007994646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:18.351{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62309-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900470Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:20.592{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F063CB0D1E478FC3D1608EC99B0163A,SHA256=F6980ADB9937DDDAC532C3F65999D4A698C8D2E6B34AC3DE51EAA3A417CE785F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:21.954{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8588005592DD3202BE548F0B0AA50F2A,SHA256=221D64D6EA51AE2D3C366A29454876C8F30784949DDC1FE3A11F5AF612488F1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007994654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:21.282{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C23576B2CDFF8AB0D99939F938535B98,SHA256=00D07038C4733DE5B4D5DFD9EC13ABFEBAE18305035088A1AB4A8873507AA452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007994653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:21.095{3BF36828-DD1D-60DD-3000-00000000C801}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015900472Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:19.464{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52033-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900471Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:21.607{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4240D0469C4F8EA54315A2D442452C5B,SHA256=6E0CE7880325D24FB8B72D9E63436B5997177FAC09DA9D3A0EDD85EEA9003819,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007994656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:20.273{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62313-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015900473Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:22.639{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07FF7F8D684E620D98328E4E9A85E4A7,SHA256=0C3BE22DB8E13C3C92C9AC0CA87B8ED9F7691B653D0C11086643FE295570DDCD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007994658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:23.470{3BF36828-DD0B-60DD-0B00-00000000C801}6521204C:\Windows\system32\lsass.exe{3BF36828-DCF0-60DD-0100-00000000C801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000007994657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:23.376{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE13B5CE26E471CD3945CBC32170B98F,SHA256=0B941ACAD0117E5F6598FD4FEF7806B5D48F7A5EA936235F1E96F3C32A9BBD4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900474Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:23.670{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55CACC4A56F4E6B1748387BE337589DB,SHA256=C8B53131D7CAAF3270E8EEA845CCE93CC11D1E5E70BA9BF43ABB4196B4744020,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:24.767{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E4E4DD06A85034AEE0A15D0E7EB9C52,SHA256=D7D2E2553976F718864BADC1634DE2D94ACA480198FFD80DC08B12CFE959EBFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900475Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:24.670{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EDA37D8CE456BD9EED8B15A19A4222F,SHA256=8B351F2DDFBD2709164A02E60B642E2045C40594D5D0BB56509877A9968B9A6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007994665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:22.666{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62316-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x80000000000000007994664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:22.666{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62316-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x80000000000000007994663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:22.563{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-128.attackrange.local62315-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x80000000000000007994662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:22.563{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62315-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x80000000000000007994661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:22.557{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62314-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000007994660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:22.557{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62314-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 23542300x800000000000000015900476Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:25.701{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC87C6E3750D3AC3937E2AC7FDEF1B75,SHA256=9A82D3E2339D112BA6CC7EB530A41401D00B4F85815BF3717DAC5F2D4E362370,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:26.782{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C82AD4C68C1FB33CB55711196F22350,SHA256=A1EE6636C9870CFE9BE63EC6AB0AA48D54BA009FFFBA4CC864FBEB0CA4994620,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015900478Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:24.479{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52034-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900477Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:26.701{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54D3D4CD817D0EAD851706D1403A3EAD,SHA256=FA272E92252B970BE18E2F8BEAB99C3994917E88ED2DC1C700DB5F2CC5864C24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007994718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.721{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007994717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.721{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007994716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.705{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007994715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.595{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007994714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.595{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007994713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.595{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007994712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.595{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007994711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.595{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007994710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.595{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007994709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.595{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007994708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007994707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007994706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007994705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007994704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007994703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007994702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007994701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000007994700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007994699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007994698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007994697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007994696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007994695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007994694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007994693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007994692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007994691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007994690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007994689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007994688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007994687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007994686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007994685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007994684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007994683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007994682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007994681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007994680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007994679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007994678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007994677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007994676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007994675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x80000000000000007994674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007994669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.579{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007994668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:27.581{3BF36828-EA1F-60DD-3B02-00000000C801}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007994667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:24.273{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62317-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:27.702{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71FDC3344EF6CE440ECB6569B73B8F3D,SHA256=50E6F66E031D36D46E2AF537C738A455FAF256771608EDFF904EE4D7868EA346,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007994821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.987{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007994820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.987{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007994819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.987{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007994818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.987{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007994817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.987{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007994816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.987{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007994815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.987{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007994814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.987{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007994813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007994812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007994811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007994810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007994809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007994808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007994807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007994806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007994805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007994804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007994803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007994802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007994801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007994800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007994799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007994798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007994797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007994796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007994795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007994794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007994793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007994792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007994791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007994790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007994789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007994788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007994787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007994786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007994785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007994784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007994783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007994782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007994781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007994776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.971{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007994775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.974{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007994774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.424{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007994773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.424{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007994772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.424{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007994771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.315{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007994770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.315{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007994769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.315{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007994768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.315{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007994767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.315{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007994766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.315{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007994765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.315{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007994764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.315{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007994763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007994762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007994761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007994760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007994759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007994758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007994757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007994756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007994755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 23542300x80000000000000007994754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83D2F4D2B3C2A61693A2C2829091CAFA,SHA256=D9EECE6393A828DFD9CC9B63B6153570FF861116610B37621321A4097C01ACF9,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007994753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007994752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007994751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007994750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007994749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007994748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007994747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007994746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007994745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007994744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007994743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007994742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007994741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007994740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007994739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007994738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007994737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007994736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007994735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007994734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007994733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007994732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007994731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x80000000000000007994730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007994729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007994728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007994727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007994726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x80000000000000007994725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007994720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.299{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007994719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:28.301{3BF36828-EA20-60DD-3C02-00000000C801}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015900481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:28.733{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2D0CD5DFEE46304DB7D6EC459844451,SHA256=15111A10B550891643F069478FEA782DBE219E4C93DC19C6687AC11EA8978186,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:28.624{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007994878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.799{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007994877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.799{3BF36828-EA21-60DD-3E02-00000000C801}10761576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007994876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.784{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007994875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.784{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007994874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.674{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007994873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.674{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007994872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.674{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007994871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.674{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007994870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.674{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007994869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.674{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007994868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.674{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007994867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.674{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x80000000000000007994866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8614195302D8A3E46D98DF315C102E62,SHA256=487A027B2AA17734D9E1224C62AEE6768ED77233011B38E0231E22D2CD578E4F,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007994865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007994864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007994863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007994862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007994861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007994860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007994859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007994858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007994857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007994856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007994855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007994854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007994853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007994852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007994851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007994850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007994849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007994848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007994847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007994846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007994845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007994844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007994843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007994842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007994841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007994840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007994839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007994838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007994837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007994836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007994835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007994834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007994833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x80000000000000007994832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007994827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.659{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007994826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.660{3BF36828-EA21-60DD-3E02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007994825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.096{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007994824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.096{3BF36828-EA20-60DD-3D02-00000000C801}41643420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007994823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.096{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007994822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.096{3BF36828-EA20-60DD-3D02-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x800000000000000015900483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:27.918{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52035-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015900482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:29.765{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FC814CDB045DB5A7A2A176F0D605B37,SHA256=795546E5AD775F03D0A923D56A0E6928A1CB0D0FB2E228123CA40085EDAA9192,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007994930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.487{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007994929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.487{3BF36828-EA22-60DD-3F02-00000000C801}37845084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007994928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.487{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007994927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.487{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007994926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.377{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007994925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.377{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007994924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.377{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007994923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.377{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007994922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.377{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007994921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.377{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007994920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.377{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007994919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.377{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007994918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007994917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007994916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007994915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007994914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007994913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007994912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007994911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007994910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007994909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007994908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007994907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007994906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007994905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007994904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 23542300x80000000000000007994903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7203D954DD2C7F7095C87F70BF81D32A,SHA256=4CF3BB57189A94CB12E92E545C5ED91D084811A2C8A668D105DEAB377BB37E1C,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007994902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007994901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007994900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007994899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007994898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007994897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007994896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007994895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007994894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007994893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007994892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007994891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007994890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007994889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007994888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007994887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007994886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007994885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007994880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.362{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007994879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:30.364{3BF36828-EA22-60DD-3F02-00000000C801}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015900484Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:30.765{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=232DD2DE099F69F3CB434323384226CC,SHA256=815766CD78CC820F6152EFF682AA72E706814FC672CB0F2285B043278CE34277,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:31.768{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6481B8716AB267E57765355E263E343,SHA256=69793B66443A4F88B44B6FBBE3D4F830F33FB82DCFD4AEF83FCADB0C3338AC68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007994931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:31.096{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=787E897D1CDF1EDF123DF58FA7F317D1,SHA256=70443F42CE6CDB766623EE0AC232407E9600D8E2B1DA40B56BB9A957435D3E58,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015900486Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:29.496{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52036-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900485Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:31.812{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD210CC0AEDB51F3C197E8DC5607E022,SHA256=9AF0E5D067786D78C19F1AEB6EDCC29450AADFEC6D1F2101A031F52F87562884,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:32.534{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B91EEC17DF3592C7B0610D8158E4C5F,SHA256=71E1D61DA6EE1EBABE4B29229722F7AE9757916025CC8CD095F19CA860A3B6A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007994934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:32.534{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B75D6CA84D7EB44BEB26411337316E8,SHA256=F326B764E5BE0205A9D61E5A7E023C31683FA194873A3A24C82970EDB58B25F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007994933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:29.368{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62318-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900487Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:32.827{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D84808F37CE1192FA07C499DDD1D0F,SHA256=611F2C31C8BE453F9D43E4349FE02BDA0ADE0BF26DADD01BE2C8DE7DF06C66CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900488Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:33.858{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30B8AC3CA913485C256C84899B1B9C3E,SHA256=3BA6BE47B934A9D1208022AA4B2C1A18FCF44A31A0F33B803DDB05134CC7B8C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:34.034{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC6DBFF72CB6AAE78704489675DABAD,SHA256=CC2C742390C8A4185CCF4EF48C14F141A50D64C0739E449A24F4840F74D22820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900489Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:34.890{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C90FB3236758F66CD3EC407A9181FD9,SHA256=EAB3CF09E21107B0CD9876A13BBDA4A60A3B0B35A9503AB5E200C2C4B78F3319,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:35.456{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C1F5ECBB91F4BF42E9D0B720F8573C,SHA256=49FC21676DCAF7F607B1AA1B45C8C53DD432C9794F82880EF8C6820722E2A40D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900490Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:35.905{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30577A8E690D5AEC4C78FDCAC3AA2522,SHA256=4EDE05C4F5A4C6E36B5CADCBD0FD11BF05B7801A6710D1E18EA702156E7C96C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:36.831{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA1B61BAD5CBBCA8BC4418EF85F9F97D,SHA256=EEB23A32D3FE4D1A60478A08C1B0A008C8706E3BC5A54C14F0093F5FDAF48B9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900491Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:36.952{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6667B8395331681844326CEEB1F818D2,SHA256=A8D113819835AFB2A57EED1DD5FBC3D4F404468A4D1801E4D45934B2BA52D4F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007994939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:34.430{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62319-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007994940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:38.206{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA3E177A2249DBDFBCC84D94840344AA,SHA256=94CABE6371C84B19545C03C198361EB655F8C55A3242D539BCE3EA2ED130071E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015900493Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:35.418{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52037-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900492Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:38.046{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B02863523C16A71037D862560C30FC0,SHA256=42DA52C9DD42A84A2A587006EE4249F08F1101AFAB09BE0586222285E2F9C658,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:39.565{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2C234058CD3FB867AFBFC7D6F844BA2,SHA256=3EEC5D2813C6439CBD65445E7755A15F111B156E8CCB89D112F8717D28185155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900494Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:39.093{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0F7EF4297F52F1086E58B041A8CD3A7,SHA256=7C1D2C45BE5B63230B431AC94F96F0194A69EFBBA0D4FC38334437726208C25C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:40.924{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5602B9AB4241D94C9EE5BBEF95223CFB,SHA256=2371C5B208EE2CD4897643C3BE4ABE133AACEB72A29848871422EEF70FC51B86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900495Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:40.108{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83DAD26FF638985349132083E77FAD4A,SHA256=156B955A30A4A86A1A1947762D363B19D0B833DD4841C8A2E0572094C3E8DBDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:41.612{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88F493EC7614DCDDA16E7BC48A657033,SHA256=E1EB713C5B9881BEEA6196ACDE385EF30BF8A87A70158F76BAE8E0B52E11AC70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900496Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:41.140{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E8C8A0504B47C1BF40C38A21D6067AB,SHA256=57CE71242758465B78B996D777D089FC51DC99CE1D3FC7A62FE12D1F5F4BBDDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007994946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:40.352{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62320-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007994945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:42.456{3BF36828-DD0D-60DD-1200-00000000C801}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C707A43DA21C6D564BAC74E7683B8075,SHA256=87082AEFD058B202E09DE9565EC827AD9707F57371224AD4C7BDAFAF314D4681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007994944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:42.299{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E6BEDF597D958A8AEE4AFF3235EC9EF,SHA256=AB61D4C955A9801AE93444113108F16AF2568E165181683722E28DA9F1A17ED7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015900511Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:42.890{B81B27B7-EA2E-60DD-632A-00000000C701}49243744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900510Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:42.733{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EA2E-60DD-632A-00000000C701}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900509Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:42.733{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-EA2E-60DD-632A-00000000C701}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900508Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:42.733{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EA2E-60DD-632A-00000000C701}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900507Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:42.733{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900506Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:42.733{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900505Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:42.733{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900504Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:42.733{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900503Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:42.733{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900502Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:42.733{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900501Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:42.733{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900500Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:42.733{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900499Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:42.733{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900498Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:42.734{B81B27B7-EA2E-60DD-632A-00000000C701}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015900497Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:42.155{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6DC8351FCB69BC6F93632A9FE1AF28D,SHA256=FFA20D5FE664581A06D0A93FFEEF8AB64062EA24BBBF489450EAAA26B6325A57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:43.690{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDDD1C0BC34D815309A3D0CC4989866E,SHA256=B04B1B7346F4AE8FA0684F7ED78295B6E683702EA00A098F3677FAFB18AE2D42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900527Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:43.765{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB0B0F1834380C52C33D2DD9E8FC68EB,SHA256=5E91F1D47910561A7535A6BC2D8CC833E232B8609B610E92EC6B9701188970ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900526Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:43.765{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61EF06A2E5A424062339C679817C98E9,SHA256=90B5BADD1522F22560CB04ACA50722C6A48ED3D964AE95D8617C4E223D065533,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015900525Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:43.405{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EA2F-60DD-642A-00000000C701}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900524Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:43.405{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900523Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:43.405{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900522Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:43.405{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900521Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:43.405{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900520Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:43.405{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900519Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:43.405{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900518Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:43.405{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900517Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:43.405{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900516Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:43.405{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900515Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:43.405{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-EA2F-60DD-642A-00000000C701}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900514Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:43.405{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EA2F-60DD-642A-00000000C701}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900513Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:43.406{B81B27B7-EA2F-60DD-642A-00000000C701}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015900512Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:43.187{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF81BA630EE285D4F3A8B1803F34502,SHA256=DB6250A5E6FA4DE7CFCC8BEE58B35F654D4E8118C678DB42FF911D87928145A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900542Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:44.421{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DF4248313D878766DF3F09AAC34EAAC,SHA256=48E911842A4BB9AE1D564E6E08961116FFF0DB747A383B9A8584B9E1CEC46EA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015900541Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:41.387{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52038-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000015900540Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:44.077{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EA30-60DD-652A-00000000C701}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900539Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:44.077{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900538Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:44.077{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900537Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:44.077{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900536Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:44.077{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900535Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:44.077{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900534Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:44.077{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900533Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:44.077{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900532Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:44.077{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900531Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:44.077{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900530Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:44.077{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-EA30-60DD-652A-00000000C701}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900529Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:44.077{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EA30-60DD-652A-00000000C701}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900528Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:44.078{B81B27B7-EA30-60DD-652A-00000000C701}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007994948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:45.065{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C92BA90F44A26EDBCF2DD714528AA8,SHA256=47A72E61FE41875003D0187155A13BF7C5C0C1EAE221D7A29320B7E19539A8C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900544Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:45.421{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=601395EE8FF8927A33DE014AD3F94D1B,SHA256=16072224C70E55E5D46940EAE1018EFBD9A1BEB578C40B0B6A6C33529A2D14F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900543Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:45.140{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB0B0F1834380C52C33D2DD9E8FC68EB,SHA256=5E91F1D47910561A7535A6BC2D8CC833E232B8609B610E92EC6B9701188970ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007994951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:44.583{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98752040-false10.0.1.14win-dc-128.attackrange.local49666- 354300x80000000000000007994950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:44.581{3BF36828-DD0D-60DD-0D00-00000000C801}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15WIN-HOST-98752039-false10.0.1.14win-dc-128.attackrange.local135epmap 23542300x80000000000000007994949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:46.424{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F68826F36616D75E04904498B5BB80AE,SHA256=F093F92904308098169FCB5B96B516F83E66F5AAB96701ED82D3DBDBFAF942D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900545Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:46.437{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7302E27915D5F818218755A668BCD479,SHA256=6DC1A32F1469F3D5CA9A28BDDF95593BEEE46B51C65374B1040E42686AFA4546,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:47.789{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C7563FB772246F71F489482B1C38573,SHA256=3F90D645D71E248298111664E1D245DC162D9D8608DF2D4C7C57129F645376F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007994952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:45.352{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62321-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000015900561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:47.561{B81B27B7-EA33-60DD-662A-00000000C701}51566088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015900560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:47.452{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90B0B1273FCE0999D5734791839056A0,SHA256=EEE9A7B58BEB2144C62BA2EE637C5A2DD2B1C7CA2F78FDDCE85898782D945761,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015900559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:47.405{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EA33-60DD-662A-00000000C701}5156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:47.405{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:47.405{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:47.405{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:47.405{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900554Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:47.405{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900553Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:47.405{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900552Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:47.405{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900551Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:47.405{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900550Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:47.405{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900549Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:47.405{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-EA33-60DD-662A-00000000C701}5156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900548Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:47.405{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EA33-60DD-662A-00000000C701}5156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900547Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:47.406{B81B27B7-EA33-60DD-662A-00000000C701}5156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000015900546Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:44.648{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52039-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal135epmap 10341000x800000000000000015900592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:48.894{B81B27B7-EA34-60DD-682A-00000000C701}3216136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:48.754{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EA34-60DD-682A-00000000C701}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:48.754{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:48.754{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:48.754{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:48.754{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:48.754{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:48.754{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:48.754{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:48.754{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:48.754{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:48.754{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-EA34-60DD-682A-00000000C701}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:48.754{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EA34-60DD-682A-00000000C701}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:48.755{B81B27B7-EA34-60DD-682A-00000000C701}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015900578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:48.457{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C35747606773B3BD471C8621EEAAB7F,SHA256=6636DA2D76981F4A5AB3E3D1BBD44D38129D62C213D5AC13ACAFD314F313A3A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:48.410{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E18B03B155E5E88AE90DBB865908D375,SHA256=DAE802C44D39C801DF908E50C76401646F53F6BD8C183C4B4E29C10CD1569B13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015900576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:44.649{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52040-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49666- 10341000x800000000000000015900575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:48.238{B81B27B7-EA34-60DD-672A-00000000C701}56283856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:48.082{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EA34-60DD-672A-00000000C701}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:48.082{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:48.082{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:48.082{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:48.082{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:48.082{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:48.082{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:48.082{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:48.082{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:48.082{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:48.082{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-EA34-60DD-672A-00000000C701}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:48.082{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EA34-60DD-672A-00000000C701}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:48.083{B81B27B7-EA34-60DD-672A-00000000C701}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007994954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:49.148{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=593F852D0156796DCD413333BC0228FF,SHA256=D382C30A64CC31456ADFADEF1D6FA9EAE16F72D5C0585D96B1246DC20A839D8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:49.769{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48DC2B7DB00F68DB9F38D3DFDC248BCF,SHA256=FB8549E205DF719BE13CC8131A9326AC8DF2A8B6A8B9674753D6704698BCCE21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:49.613{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F159168CDC720A3321C2AA0C9F44D0F0,SHA256=C5B5543BB2583CD4A9DF6A370D32BB8B71FF961CDA679F31EFEAC905B4AC2F88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015900606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:49.426{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EA35-60DD-692A-00000000C701}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:49.426{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:49.426{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:49.426{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:49.426{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:49.426{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:49.426{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:49.426{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:49.426{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:49.426{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:49.426{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-EA35-60DD-692A-00000000C701}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:49.426{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EA35-60DD-692A-00000000C701}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:49.426{B81B27B7-EA35-60DD-692A-00000000C701}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000015900593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:46.418{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52041-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007994956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:50.523{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B19D481FEE5E3C93984C7A2AEF8949DF,SHA256=41B7DAA0948F65BA7563796F911BF387D2CB0E99F751AA9828C3D317983B8793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007994955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:50.523{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97ADE8F21F9CDB13E68257BCB39A0F7E,SHA256=8052B5BAB6D3F4DF1F8BE95CF7530C3FBFF70E00B1DFE9FF1B8161E75B806BB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:50.644{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B81102180094E2E366D498CB2EB2437,SHA256=5122EE660FC38804B74995F8DE0AF2BCDC5CA39BDF3E19FA863798E505621E7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:51.898{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E852B26335DFCE413A35EE1D97219993,SHA256=C959C6D8809B639E21BDB4FB9206FA5E1CF6CF0EC0C5AF52FE48AEA7B6AD29A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900610Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:51.660{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46651DB6E90067D77E7FE75198B2798B,SHA256=24C9619954F7B1EB2862A991F418172C90B72FBF530D10153955C6DB055ECD20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900611Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:52.739{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61E667CB8F543CA9F4FDBF519FEAB23F,SHA256=3A51F04CA130DC1196CBF927E23B952D6E886EA4B258A4056F499BBEAF12EAAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007994959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:51.309{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62322-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007994958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:53.257{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87E8C35A9A1C24D590628FDF6C8850CA,SHA256=4E24014D8388097A2B52904580E3380FBD9EA80188224D16EA3712C56BFA973B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900613Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:53.785{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D3EBB6CC3119B6BFDC8C887256EC4F,SHA256=909089A70BF891BB0E6E6D92616C1D70936C422EF2BA854C29E99D8CF74D0BBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015900612Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:51.423{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52042-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007994960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:54.617{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D812FA089002811CC9C42F3004D4074E,SHA256=CBA267B6E49650951FF911A2031C1C63AC0BEEFF31CEB8D40697A3539E63E619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900614Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:54.801{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FBA0E4B74412CDF28490048A08AF139,SHA256=5FCA1985ECC81D1F407A9E64C45E96DB478D3522230C9FDABDE2DB75F4108AF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900616Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:55.801{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A79B5F88A2C11CF45A649A9259ED4F6,SHA256=975F055903A84A0E4FC63E1BA3D5D481BCE3C4A48520A15C35FF87FF9E568639,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900615Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:55.410{B81B27B7-880A-60DC-1000-00000000C701}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0C919FDB83F662DDF8968471288887E8,SHA256=AD124BCAAA5F7D9CEC5AA88340717B494ECA75E5176A4B3D270B78B235AB5A72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900617Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:56.832{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434082C672A1F2517C53C1D693AFE9C5,SHA256=24A1ADA650134166DD07E308D78563D348EC394BCBC3CABF09C0C79C87A2D29A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:57.321{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2111164C21D6595B11643BE331CD5D4B,SHA256=7593189F0441F4C64B2CA29BC4462FB1D5AC571AB1A0257F94FF1473E51C6118,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900618Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:57.863{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB53B522B4D0F93CAEBA1B9C5EE21976,SHA256=1F01DD3E9043B5427EF4310739E0929E51CCAD20F34BD8AA0F1D773F578147B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007994962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:56.419{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62323-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900619Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:58.863{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BA9DB78A359189B85ADAEC780402E27,SHA256=FEF48EC9BDCDA171B3531A0C2C9A076775F9CC30B6C45E43155401BB30DE7BC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:15:59.352{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=377447D0452E282D6AEA0DC243EB3811,SHA256=575C2A86A214A4DA746633BD7BD4F8EB7617F6114FE65115E3D153321279D5EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900621Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:59.957{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45324F864AD9168FC80821AD45BE1368,SHA256=89B18D94E70EF75924DD52A3A8C0E9A498090E00B9ACFB7C56111313ABA76E3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015900620Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:15:56.470{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52043-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007994964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:00.414{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F87DFF0E4A6DCEF173BF4358868F929,SHA256=9CCDB3066E3ED6592FCA5169F8BCE471F7E68BA1A170C04D14FBF16F30BB3C57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900622Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:00.972{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=067E914DF310D9EC9594CA4DFA684183,SHA256=A4755BB8B6F308266B961FB38871989718B13D483C965699FFF8FADFF66B52B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:01.774{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E8A3C7BE32ADC080E38C90F218F6120,SHA256=781D906A0BD83F0B2E1E16471270C276801621E7AAB170DD57B578E7D7B2E49B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007994965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:01.774{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFB37D3498841343132E53CD0DBAAF48,SHA256=A6D86C573E80B3D5209A3467BD061766E4841D60B9516202F7CBE2C24C56F326,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900623Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:01.974{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12422E0C0D626F0CEF01631408CDBF54,SHA256=8037E04437D03C2CCE490A055C64B0FD69D038A812953D2FF87CE9513C32BAB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900624Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:02.987{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED05BF5E3AE73E4F8BB5C2830181E236,SHA256=E3B7AC39AA7BA590C70A453363A9E4927639F68399274C5C27EB062CC0A32C7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:03.133{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DF21A1B68AA9DC5185B85F9952BF91,SHA256=08FE69E66D3FE2EA3238374FA975DD4DC1236C3B2EE1F36A29EA3513B3F04ED0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900625Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:03.990{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9FB6BCBD09C22E3F99A1FB00BD1B40A,SHA256=4233BD19A30B207CFD59EF9430F30C8CABC275E73DEA3192C06A8B9B28FFFA17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:04.508{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7007F447CFFF7CA7C47AA61C36A724DE,SHA256=218432189EBDBD6CA1EE46E89392772C4CBD2299E4D751175C24112AF9DD6A15,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015900626Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:02.424{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52044-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007994970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:05.868{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92DD449EA2E1D09E22F5F76C9913208B,SHA256=68B303F7669A5305B19629909833462AD12C2501E747F12225316DDE56E872A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007994969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:02.450{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62324-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900627Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:05.021{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39D94F6D985B6644F130F9E00292E72E,SHA256=9536F43C96BDA1BEB6C876F591C7855CFF5E256544D5219656476F6B5E9E5CCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900628Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:06.036{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7AA268FB8A34CEC8BD975226CAA2257,SHA256=9869A992F4E8230F66F36DB712A4B72070312CEAE080DF67A646E2E6259F12D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:07.227{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C19C7B89D412A9CBA2120BE8955E0893,SHA256=0C77F0A634B09ABAAD54B80EB1522B66C57BBA6748098464861DA29D2D163A08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900629Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:07.052{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=350C724C6644320DFEE458B681ABBC69,SHA256=F46EB6B2B1F31738A5A0EC61BD07A2EE62B53B96D90A3E0827BB05332F112A94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:08.601{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60AD4D82E4C79A2814F360C0908EE8B1,SHA256=18E15BF60ADA7AB085BE38A3BE31F970AA1C139E0233EF861069F9F385A032AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900630Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:08.082{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0275071E357F956B96C2CA9EC7F29167,SHA256=08D8FC73ADC35A0705FF8E77BDABF0CB5AC7771BD2EF492AE03973CC707D5890,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:09.961{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA746FFDDE4E3D6F68B700FADDE48FB6,SHA256=9F0452FCBBB2627D89D0E1D5FC9AAA25610B78A53CC1F8C3449B5EF18820EE6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015900632Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:07.548{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52045-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900631Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:09.082{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1E329ACEAA10F6349BE1E7BB2FEE58C,SHA256=556EA8EAB1603D7743B0D46C318FAD7FCFCBD06EEE11AD6E00BD01E418E0EF34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:10.648{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D940539D08C5607FF598D9EF7EF9029,SHA256=5DA208D0CA695943939BB13738002F785A42AECEA94E8058D67756CB63ACFBE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900633Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:10.082{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40146E2EDB4579B47E0A8AF7541D3845,SHA256=5000763DF659554CE0B612B68A4C216D82BD352EADEF16B02F6A78FDE5B54564,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007994976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:08.340{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62325-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007994975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:11.336{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=231861409A4882A051A1D533C74F56AE,SHA256=385B5667B75A0939E886DF957C8E6FF8AD71007176DFF64623CFF1B7978D5457,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900634Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:11.113{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72E12AABBA25EF52FB8D190488A344FC,SHA256=6E82F21286EB238A3F275B7CFC689385F2F85CF980A44EEF0BBD4E56E51A1CEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:12.695{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CFD5352322385D8F4BB347C384A293,SHA256=69E130665F18388DF378BBC30F7D5CFC04590710AFCD719BFB5241B0B9A05B20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900635Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:12.129{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D4FA15F20F4D40DF71193E44257563F,SHA256=24C5A04DAE8074C0DC96888EF81FA5E5307EA7EDB05BD4C1CF70059C98B774DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007994979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:10.809{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62326-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007994978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:10.809{3BF36828-DD1D-60DD-2F00-00000000C801}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62326-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x800000000000000015900636Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:13.129{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DD42231E8BF0ED316BECF9F5EE34FA3,SHA256=D0B954DB576D074D37A52F52022CE01499EC1EC49812216B13C843E4EDF65F66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:14.054{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59F8FAAC7BF7572B639D157FAA26DE5E,SHA256=052BBDB3C7C7D4C2400DFDEADAA032C0BA94362D4BD56F90BB99230927E0D81F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900637Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:14.144{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29A128FB41012BE971E1BA4A51C60B66,SHA256=4667014F077EC2E284A827C78BA5341622EE1E8632AC36F1F7D2A64D9BB4AA04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007994983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:15.851{3BF36828-DD0D-60DD-0D00-00000000C801}9244328C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007994982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:15.429{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E27518221577076EF822B36DAE946F0F,SHA256=772CFA41D90CE7ECE2E9F3659F286B39B68F0F9BAEF0FFE55D8F2B064953C4D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007994981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:13.356{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62327-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000015900639Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:13.438{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52046-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900638Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:15.160{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6EDFCCA3124CE5DEC9C3D70470CC169,SHA256=65756288F16A2C4F140ECE342BD3C7CE3379A9E157BC459112D0C11C1E730560,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007994984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:16.804{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E1818C73D59455DB596BB4EDB661B3,SHA256=69704F340890B5CC1E42B9FD62D13CA87C71E8C8BC9B4384B6023459F81D489A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900640Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:16.160{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656DF0686C8326F97C288D1D82D34C6A,SHA256=7D6ED511DAA0221D3C3439DD28B8A869B5E46742CF28755CC007671FE6DFE033,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900641Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:17.175{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E8FB712B8C7474F09287A742F33FA2B,SHA256=FE38679C5F8EFA9C86990A0670C63087A81CD0E1416B4E119BEFD3C8766C525C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007995087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.961{3BF36828-EA52-60DD-4102-00000000C801}19564472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007995086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.961{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007995085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.961{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007995084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.851{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007995083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.851{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007995082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.851{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007995081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.851{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007995080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.851{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007995079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.851{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007995078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.851{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007995077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.851{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007995076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.851{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007995075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007995074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007995073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007995072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007995071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007995070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007995069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007995068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007995067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007995066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007995065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007995064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007995063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007995062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007995061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007995060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007995059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007995058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007995057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007995056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007995055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007995054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007995053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007995052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007995051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007995050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007995049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007995048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007995047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007995046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007995045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007995044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007995043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x80000000000000007995042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007995038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.836{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007995037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.837{3BF36828-EA52-60DD-4102-00000000C801}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007995036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.289{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007995035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.289{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007995034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.289{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007995033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.179{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007995032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.179{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007995031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.179{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007995030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.179{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007995029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.179{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007995028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.179{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007995027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.179{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007995026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.179{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007995025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007995024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007995023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007995022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007995021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007995020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007995019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007995018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007995017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007995016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007995015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 23542300x80000000000000007995014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D58B7BD6935EA1279BF8D6E3E2D153DC,SHA256=D606183A19E8615B597F4E88E3921CD5393E26D5D26AE1E8202046595724D233,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007995013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007995012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007995011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007995010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007995009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007995008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007995007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007995006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007995005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007995004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007995003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007995002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007995001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007995000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007994999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007994998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000007994997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007994996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007994995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007994994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007994993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007994992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x80000000000000007994991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007994987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007994986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.164{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007994985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.165{3BF36828-EA52-60DD-4002-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015900642Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:18.191{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CEE2E6F4D2AEFADABE6A0ABAB19E926,SHA256=64B3AA23475EC40F1B058D1983B31E8E0F9A20C18792376EBF6CB5AC9DD75008,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:19.539{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8674DE308D3277311863AA8FA79AC98C,SHA256=179EB780964AF1CF101DB1D589A63D64BA5E381D97EBC9BFAC678D564FAC63AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007995088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:19.539{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A5FF5B399FC2BA6795EAE0F3A3FF05,SHA256=82333B72C51F9885D9F37728BE6A01D76D5569DFD431750C8B567C9B149B377C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900643Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:19.191{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68AEC68CD8A72DB54580B4D636F61D24,SHA256=DB76E84036B767169F30C75B563B0E92357FE5C0D190CDCAF6A86429943F8937,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:20.898{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A5A8D253A4A455D5DED2290E14CBA9C,SHA256=0F8C07E1D59A8AE998E3B50338E461CC194E376DE4B35B3C99A4C8EEC869699E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007995090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:20.211{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2667F2AA864766A93AE56DAB06F0B21E,SHA256=26106B2790565E6DF0CC18F775808B99E29507C11CDC19CECA2C8A3F7038966A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900644Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:20.207{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=276CFF3E3DD8F2830C7D7FE78034A88B,SHA256=5365027E7ECBCBA49B30960A1D4C73F4AAD07E732425F49E27B32C679D853AF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007995093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:18.418{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62328-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007995092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:21.117{3BF36828-DD1D-60DD-3000-00000000C801}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900646Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:21.222{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC5C1BC3703A25EBFB2B033C2C04EC7C,SHA256=D2005BBF7ED490A896FD376F64638E26797417610234210C84FEBB901FCF2D10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015900645Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:18.501{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52047-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007995094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:22.336{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96361B2A43C4A7D8EE6CE8CAF800CEDD,SHA256=FCD446A234EB8C2E7A916843A22D98DC05CA2E6ED071C813F7E29D857A8E4444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900647Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:22.222{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AEAD54CB6E256FD0E64D9EE47972B96,SHA256=FF73F14E9E272C1085472BEA270753C54533A1A9E7543F4CAF33D2EA861FBB55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:23.758{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D857879A6A91089B80A8D7240D16F4F4,SHA256=B2F165F7A6DCBB4E5791215040230B8DB3BB2DE8D2044ABEEF3254583CDCD7B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007995095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:20.293{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62329-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015900648Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:23.238{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFFF5545488E809A6B2A04A3BD19F1FC,SHA256=F196CC66329AC8E596EB5BFFE3CD3EC1720225D9EEA29214B60819571320CEDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900649Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:24.269{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62ABADF3A417E0C2D3320BA7A063F84B,SHA256=EA3DC7AF28CCE6DC3A618CD99EA4E7D457AB7772C82C5A3F3CC86B873B8BDBC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007995148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.930{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007995147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.930{3BF36828-EA59-60DD-4202-00000000C801}37364980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007995146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.930{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007995145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.930{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007995144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.820{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007995143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.820{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007995142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.820{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007995141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.820{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007995140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.820{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007995139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.820{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007995138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.820{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007995137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.820{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007995136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007995135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007995134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007995133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007995132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007995131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007995130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007995129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007995128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007995127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007995126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007995125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007995124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007995123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007995122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007995121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007995120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007995119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007995118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007995117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007995116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007995115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007995114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007995113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007995112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007995111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007995110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007995109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007995108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007995107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007995106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007995105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007995104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007995099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.805{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007995098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.807{3BF36828-EA59-60DD-4202-00000000C801}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007995097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:25.133{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31A4403F213C690E86E9B848865128AE,SHA256=3473AC08649B53EE2EB421E2B9F66747CD63A35B36CDDE2D5C89F91C530185D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900650Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:25.269{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A9C809AE2AE2F95B6B19DFE835426FD,SHA256=F727B88D70613D82A6009AFB441608689101C7A3A4511D647D4357D19A722707,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007995200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.617{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007995199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.617{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007995198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.617{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007995197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.508{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007995196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.508{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007995195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.508{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007995194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.508{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007995193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.508{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007995192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.508{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007995191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.508{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007995190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007995189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007995188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007995187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007995186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007995185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007995184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000007995183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007995182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007995181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007995180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007995179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007995178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007995177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007995176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 23542300x80000000000000007995175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15759308F0F1E1DC13B8E03122EB0061,SHA256=F3C2903CF3FF98DFBB25145C938B85431B55CB1A2027203DB4932F9F18061851,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007995174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007995173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007995172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007995171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007995170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007995169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007995168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007995167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007995166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007995165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007995164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007995163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007995162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007995161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007995160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007995159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007995158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007995157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007995156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007995155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x80000000000000007995154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007995150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.492{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007995149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:26.494{3BF36828-EA5A-60DD-4302-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000015900652Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:24.376{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52048-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900651Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:26.300{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF42E86F3EC40D39E89F53D478F51A47,SHA256=ED7B34F03B6536BC22D51BEF4A5A1CD07DAD8C35041B063A31F91EEC510F220D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007995201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:24.309{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62330-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900653Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:27.316{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F3446ED7F3F4FCA138C97BA97BA685F,SHA256=92333D6082BE35259853F6D1B76EB177734A1C11446E4653E1E9D924F8E940EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007995252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.633{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007995251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.633{3BF36828-EA5C-60DD-4402-00000000C801}18562120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007995250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.633{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007995249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.633{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007995248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.524{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007995247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.524{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007995246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.524{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007995245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.524{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007995244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.524{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007995243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.524{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007995242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.524{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007995241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.524{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007995240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007995239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007995238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007995237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007995236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007995235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007995234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007995233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007995232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007995231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007995230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007995229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007995228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007995227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007995226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007995225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007995224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007995223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007995222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007995221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007995220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007995219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007995218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007995217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007995216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007995215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007995214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007995213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007995212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007995211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007995210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007995209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007995208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007995203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.508{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007995202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:28.510{3BF36828-EA5C-60DD-4402-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015900655Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:28.644{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900654Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:28.347{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=336584F98915B8DCCEEA2B32EA4A7050,SHA256=3474C4043959E644540E190BC193E1941A91386AC8EFE9844F712338179920A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007995305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.664{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007995304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.664{3BF36828-EA5D-60DD-4502-00000000C801}38724956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007995303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.649{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007995302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.649{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007995301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.539{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007995300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.539{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007995299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.539{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007995298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.539{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007995297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.539{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007995296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.539{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007995295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.539{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007995294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.539{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007995293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007995292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007995291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007995290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007995289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007995288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007995287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007995286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007995285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007995284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007995283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007995282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007995281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007995280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007995279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007995278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007995277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007995276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007995275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007995274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007995273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007995272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007995271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007995270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007995269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007995268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007995267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007995266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007995265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007995264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007995263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007995262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007995261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x80000000000000007995260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007995255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007995254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.525{3BF36828-EA5D-60DD-4502-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007995253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:29.524{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08DF24C9AA50E2AB5B638385B9B3169,SHA256=BF21BBB9EDD3D7AF0DDC03788079018040523B6D798442EB0F79820F689300BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900656Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:29.379{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F1821E90474945910D7063A501C3B0,SHA256=784BFF566594D5D9CF953AE7937619C683723764B90AC259CA79F58AFE580474,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.930{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49B4D9113FD6116D483588B618961B59,SHA256=68235E0D80E5BDDB3A94BC2DEE8F1FCF0F51071B76EF3AAF53930E2ABD95C016,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007995361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.352{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007995360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.352{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007995359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.352{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007995358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.242{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007995357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.242{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007995356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.242{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007995355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.242{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007995354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.242{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007995353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.242{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007995352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.242{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007995351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.242{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007995350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007995349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007995348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007995347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007995346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007995345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007995344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007995343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007995342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007995341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007995340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007995339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007995338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 23542300x80000000000000007995337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B064493F707713BF071C4A77A904774,SHA256=8B75669B75ACC4C6E496A15A73D7AA19D8C08A911B99F78B6E789B4B32DEE8F3,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007995336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007995335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007995334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007995333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007995332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007995331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007995330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007995329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007995328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007995327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007995326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007995325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007995324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007995323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007995322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007995321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007995320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007995319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007995318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x80000000000000007995317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007995316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007995315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007995314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007995313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x80000000000000007995312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007995307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.227{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007995306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.229{3BF36828-EA5E-60DD-4602-00000000C801}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000015900658Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:27.938{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52049-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015900657Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:30.410{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6A6EF82C5CB86ABD8B13C28BADA770E,SHA256=D5E6CB70C3F1933CCF9F5DF9B8C9F9CDA252E577B8BC07A588036FFCBBD12F2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:31.696{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15EF38F7FDCEA743C85393698840DC36,SHA256=5354CAC85749AEC06F67DAB330564404B0498695CB68602B8D625C613569AF43,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000007995363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:16:31.149{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d76e94-0x740760a8) 354300x800000000000000015900660Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:29.391{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52050-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900659Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:31.410{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=211BCE5658728456677D83D2E727A41F,SHA256=37C2248B8A061611722CCF425847F780424BD6CB054A00CE071130E64DC8B17B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:32.414{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89EF288545956B3A795AD8F944F7ADA5,SHA256=50927CC39AF9BB0091C5CAF0B8DC76BF18448F982841B6B9E74B8A68B4EA6E12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007995365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:32.414{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C0EF4727F78C64D149B67EF7E51D589,SHA256=25BE45E341544B02F9C978290DC65B4955C229FA8A05402153400DDED38F6D70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900661Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:32.441{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64A4E2BE752319CDBBB300B239F951AA,SHA256=AA6BA2317822647E7255C8EB9D7D14F127D22C46451F066BE35F8C31B86CBC5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:33.899{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B7C4974D26DAB1ED0E1BCA21A7FF0E5,SHA256=BA1AFD8F21AD06D0C789CB0C0791676C2442B879310DB4FC1D5063B5A8D3AD52,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007995368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.309{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62331-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007995367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:30.293{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-128.attackrange.local123ntpfalse168.61.215.74-123ntp 23542300x800000000000000015900662Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:33.457{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=232109A22F1ACBD5E515A94FFE29DF34,SHA256=2E111323EEC4A656CF0D6ADF7E3948E576A09EBF20745AA56D952BA90930388A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900663Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:34.472{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E02D2D68722F8CCA9415876772221C92,SHA256=68C8050336F6059EA33E4A61CCB8FCE17F98FAB47037A8E1D20075AA7ED591B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:35.352{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02FD50971B3033F85110B23E68BA8DA1,SHA256=D06B26A91D5369FDD30B83CED68088D8C7F10E6EF48F4C6B751F807DCBA689DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900664Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:35.472{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE19689A081C29426C919A88AD61B53,SHA256=10FF010388DB1E74302103ADEDAF8099A6B6AD0F43770AF3A7F75550D95EE93E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:36.727{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1009416B458FA2E1FC407E12DE719500,SHA256=6D92E6ACD6A5251A73FEFC6B54F0E18A353C54B5585CEF191156B7E5BA29C4A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015900666Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:34.423{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52051-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900665Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:36.504{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B61E81B416E09BA44A6E5F0AE7C6311,SHA256=968A53F9B547F600A7720594FA84174E781D6ABDEE7205DB852C21C249257FB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900667Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:37.535{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DE893F766926095A8DD1A7B3B8D256B,SHA256=D9E87A44BE5619960E781F3853FDC4CFACB7E9BBE090716325D045EBE7CE8606,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:38.086{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E848F0BDDD7E7D3452A79EF2947380B9,SHA256=27AAC9DE591B7E77841A324C3F2AD142E2C546329F2B811375905E4C6715FFE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900668Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:38.535{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6632F9AE42FF6B6670D9DF2216351CE5,SHA256=B80FBFE2C86474CCE10D188416F596BE585D4C50E5214E34146AB52703EC8783,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007995406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.523{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007995374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:39.461{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE35EE9807BAC12562DE2950257995BD,SHA256=EFD7CB6C020F24E2D8C01FA06954DA29CC28B5A1C147FB1FCAA9CC18036A686E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007995373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:35.340{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62332-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900669Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:39.566{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=922CEC7AA9A8CF5B37B40C3ABDD886F2,SHA256=6C9E56CB3F4FE4381B64A00DA9A0E290153A2C28202A3B9E0FCC4C4543CD99C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:40.820{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA8FFB024EF050B79BBD4E24498E3AD4,SHA256=ACEA0B2B021869C6C50B420B401E89BC831BB21D61F92245822A3A6C7695B44B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900670Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:40.597{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6E2B678C75AEDD8E428266D3867ACA1,SHA256=2FDCBE15754464A90E13DCBAACD1D355074B7D425FE347F4550AAA4E267D85E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015900672Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:39.485{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52052-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900671Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:41.613{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC3F7BB9D9A1EB36F010168F94DFE55B,SHA256=155C3FC1197DDB5E697A70D07B32B1A5CB7F674DEF23F6FF4C56456A4F55274C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:42.461{3BF36828-DD0D-60DD-1200-00000000C801}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CBE1A96AB01F03CA65CE2A1E3C984B7B,SHA256=FFE1106ED419D36E93FF9F3A513CFD01E86250DE2968489D86B1815EC26625E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007995409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:42.180{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1831461168F8E8015E593897EC39F899,SHA256=C2DE1B4A141C28FA53FA3CFD283DA4F5793B2998BC3F1BF509268F846E3BC9BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007995408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:42.180{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7D3E592FDC93F1B5D4255E494E77B3D,SHA256=FF54305A031CC9D8F5A453DBA67E950540C81985B37FFF9211141E5D19965A79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015900686Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:42.738{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EA6A-60DD-6A2A-00000000C701}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900685Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:42.738{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900684Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:42.738{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900683Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:42.738{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900682Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:42.738{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900681Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:42.738{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900680Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:42.738{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900679Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:42.738{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900678Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:42.738{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900677Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:42.738{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900676Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:42.738{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-EA6A-60DD-6A2A-00000000C701}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900675Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:42.738{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EA6A-60DD-6A2A-00000000C701}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900674Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:42.739{B81B27B7-EA6A-60DD-6A2A-00000000C701}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015900673Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:42.644{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7443D3145AB34D11996E7D7F430375DA,SHA256=55049FB0AAD57AAB8097B526C556AA16162B45AA2D6E351887E93266BAA4F6E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:43.617{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5458520E02F6906F81325FE2DA046A3C,SHA256=4A2CEA9C17EBE3485B59007DBBCE044085841502F5EFBEE3117EEC5C025A6D0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015900699Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:43.410{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EA6B-60DD-6B2A-00000000C701}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900698Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:43.410{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900697Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:43.410{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900696Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:43.410{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900695Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:43.410{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900694Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:43.410{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900693Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:43.410{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900692Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:43.410{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900691Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:43.410{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900690Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:43.410{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900689Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:43.410{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-EA6B-60DD-6B2A-00000000C701}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900688Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:43.410{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EA6B-60DD-6B2A-00000000C701}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900687Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:43.411{B81B27B7-EA6B-60DD-6B2A-00000000C701}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007995413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:44.976{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B8D701B76A232F3D1E1AE00937FD0E4,SHA256=ED9B2153301240C5A3D1928EA18021BE94782C660EFB0E583B50E6E5732A8B45,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007995412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:40.449{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62333-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000015900716Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:44.207{B81B27B7-EA6C-60DD-6C2A-00000000C701}23043064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900715Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:44.066{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EA6C-60DD-6C2A-00000000C701}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900714Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:44.066{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900713Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:44.066{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900712Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:44.066{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900711Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:44.066{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900710Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:44.066{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900709Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:44.066{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900708Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:44.066{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900707Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:44.066{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900706Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:44.066{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900705Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:44.066{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-EA6C-60DD-6C2A-00000000C701}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900704Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:44.066{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EA6C-60DD-6C2A-00000000C701}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900703Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:44.068{B81B27B7-EA6C-60DD-6C2A-00000000C701}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015900702Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:44.066{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13F4660AB232C9F4090DCD51CEB5EAE1,SHA256=ED2904942671978BBDE102D031D2F34A06B62A206151859794F0A27F3E54D622,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900701Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:44.066{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A9FBB8D9F34ACED393847AB462BFAD,SHA256=402B8EF2B602CB6904CF4D9FEF0C0B28F43D6B06825DEA7CC048468642862925,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900700Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:44.066{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D14B9757DE5D71766BDFFBA03292881E,SHA256=F7430B743F75FFB58F09B487153426063D27FFDAF8F27C2A8F95A140F1EE435B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900718Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:45.300{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D54787AF08EEC3EDF133AB7D23B75BB5,SHA256=485BD10CD63464CAC6A5475AE3882A52C20C296D14C977318FCD06DA14FCD177,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900717Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:45.207{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13F4660AB232C9F4090DCD51CEB5EAE1,SHA256=ED2904942671978BBDE102D031D2F34A06B62A206151859794F0A27F3E54D622,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:46.351{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2744F08ED60E013549A6B99AF6CC1DA5,SHA256=88F5D7C37D2E4E637E528097EE2288CFE4B918FED30BBBE8F8EE730659CB37B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900719Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:46.301{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=463AD19D21543CFA816F19945CD0909D,SHA256=15F25915ED015F2D3EC5C51B0690E22E44B4304D683DFC03554ED730E6DBD048,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:47.711{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E84CFF229F5A664594D84E2990EC31,SHA256=68791E509B4588F469B3E129367382E2C6DA252E2285C29A5A63D25655D76B93,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015900735Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:45.501{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52053-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000015900734Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:47.550{B81B27B7-EA6F-60DD-6D2A-00000000C701}46881056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900733Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:47.410{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EA6F-60DD-6D2A-00000000C701}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900732Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:47.410{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900731Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:47.410{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900730Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:47.410{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900729Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:47.410{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900728Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:47.410{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900727Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:47.410{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900726Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:47.410{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900725Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:47.410{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900724Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:47.410{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900723Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:47.410{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-EA6F-60DD-6D2A-00000000C701}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900722Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:47.410{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EA6F-60DD-6D2A-00000000C701}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900721Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:47.410{B81B27B7-EA6F-60DD-6D2A-00000000C701}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015900720Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:47.363{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DF32DA3B3B0BA5F0660562A26943225,SHA256=89B4A7D8EBE6334E1603AF22A5FC6137DABC7F40E5E2F654E0D77CA90228080E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007995416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:45.012{3BF36828-DD0D-60DD-1200-00000000C801}396C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 10341000x800000000000000015900767Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.628{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EA70-60DD-6F2A-00000000C701}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900766Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.628{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900765Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.628{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900764Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.628{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900763Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.628{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900762Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.628{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900761Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.628{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900760Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.628{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900759Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.628{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900758Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.628{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900757Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.628{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-EA70-60DD-6F2A-00000000C701}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900756Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.628{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EA70-60DD-6F2A-00000000C701}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900755Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.630{B81B27B7-EA70-60DD-6F2A-00000000C701}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000015900754Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.628{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1500-00000000C701}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900753Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.628{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1500-00000000C701}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900752Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.628{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1500-00000000C701}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015900751Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.628{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AA1D73342EFA50561BEC828069A57AC,SHA256=A7456623041396F6EF45BEFD7C29D76BE0E759B658DA0A59357240B355805069,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900750Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.628{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F66721C21CD419F52AABA52B97CAB70,SHA256=14CB6BC595497F9311EB72A52EFDACBAA2792BAB41FE0CC31ADC1961A10C96C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015900749Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.237{B81B27B7-EA70-60DD-6E2A-00000000C701}43803404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900748Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.081{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EA70-60DD-6E2A-00000000C701}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900747Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.081{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900746Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.081{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900745Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.081{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900744Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.081{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900743Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.081{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900742Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.081{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900741Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.081{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900740Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.081{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900739Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.081{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900738Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.081{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-EA70-60DD-6E2A-00000000C701}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900737Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.081{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EA70-60DD-6E2A-00000000C701}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900736Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:48.082{B81B27B7-EA70-60DD-6E2A-00000000C701}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007995418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:46.356{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62334-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007995417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:49.069{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41BDE096ECFC2552FABEBE0EB95E7B21,SHA256=3AE804A7A533860041CA63183A4DEA400D18CD03596A13A9557309D0CE17631B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900783Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:49.909{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E20186A879BEDC4BDC5264DFDD033FE4,SHA256=39C8F74100346E64E69F747DB86583273B8804BC0399C28E85BD3EA6B1F3D6BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900782Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:49.643{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6AF970992E54E893EE11B0B3200E5DCF,SHA256=8F4FB887239A24F744282AB86FA9C17011BBF19947A39B33BBC19FA9EDFBFC1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015900781Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:49.440{B81B27B7-EA71-60DD-702A-00000000C701}18886008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900780Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:49.300{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EA71-60DD-702A-00000000C701}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900779Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:49.300{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900778Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:49.300{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900777Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:49.300{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900776Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:49.300{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900775Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:49.300{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900774Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:49.300{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900773Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:49.300{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900772Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:49.300{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900771Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:49.300{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900770Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:49.300{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-EA71-60DD-702A-00000000C701}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900769Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:49.300{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EA71-60DD-702A-00000000C701}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900768Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:49.300{B81B27B7-EA71-60DD-702A-00000000C701}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007995419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:50.444{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D193F1881BE6C7B9920833915BB96F45,SHA256=FA84FBA28B07AEC5FA008F16033705024577440C74D55A6D7BC8FAC4C6D64F91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900784Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:50.909{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0169F936E7EAC0B4F063CCFDD11952,SHA256=4A63B7010C631EE13FF6051B15FB4B162ECA4E5015D976F3E36C2AF50EEA6278,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:51.803{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E7EBCEB0EE81B7A71BDD002D70E2FAE,SHA256=6C6E4504E5DF0889B789932DAE8D0B31B1F9850A12912BF0B6B3BBE516B7BFB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007995420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:51.116{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=878AC7A2448CAA0168E9949FC06E13EB,SHA256=A40DF8BD3BF89266D337368E5FBCF27350B6301F82CA72C9C5FF70A2B51AC383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900785Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:51.925{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BF106076819980699364095C1FF5FA,SHA256=98B903D6FD9B3FD5D14ECF45568F0B0143C818A0C323FD7C598B6AB55590C69A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900786Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:52.940{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71C35AF36A33A33576A83B7690E2D14E,SHA256=26025D7AC7BAD02C73BF7CCC10EDF37992FEA359ED87B92903B0BC8A2E188E62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:53.178{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BA026ABBC4BC7AD6E0EC09FB51285FB,SHA256=4D51042254021F96132A31F6E70FBF5B988B23B655F8C1350C4A448763808B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900788Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:53.987{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=666C3022B91FBEF6B8D24DFC76E1A9B5,SHA256=4BB07D00A0F1992F9071FBBA09C99F0234C8E374FFAE3F65FBEE0616A2645F94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015900787Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:50.562{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52054-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007995424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:54.537{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19A78DA999B8236EE3802E5182EE614D,SHA256=F469CB7347FC39991F830413B7470AF2D7D8EF537AD5FBB3CEF68311DE3F7CA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007995423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:51.417{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62335-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007995425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:55.898{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D2DF4CD08EF98EFCA00EEB057B4D59,SHA256=AC92B29B10F6E7443457DB53DA430901E82D119C2ADB928CE15EEAF48B563D06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900790Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:55.425{B81B27B7-880A-60DC-1000-00000000C701}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5EB2E866169E960C77F8D87C374A332E,SHA256=7C8345502422CC6033016DEDA8AEB8192A1DCBF38A0FAF852CFA9F34B35CC352,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900789Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:55.018{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=005F79BFF6C0D368458A58AFAA265D00,SHA256=30FABB7F9683552BB802A81949971DD565CFDD0D0B64B6AAB401857664901457,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900791Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:56.050{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=936FD17506E13C2EB04F08508616B7AB,SHA256=95519D7DA5AD221C94208B024983FEABA24EFDCF9581F9900C4CA459142D6813,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:57.257{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EB7838342C9DEF76E3D77B256621400,SHA256=9520E0C6A2BFEA5BB2F1C96DE773FD234251BF3C3BB54B1333E5480D6C68322E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900792Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:57.097{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB19250A92B201ED189D7D11BF16A732,SHA256=E55D0EBA00A6F596C0F9B8477A2C1C23F1CAB3042057CACB3BFBD6BF36398B1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007995428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:56.433{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62336-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007995427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:16:58.273{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AC24AA904C9F16FAE24E90EA976410F,SHA256=2896AC0E375F902B4EEF8D59D374F897968EEF7FE3A3ECC8AA73C1C190DBC858,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015900821Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:58.534{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900820Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:58.534{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900819Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:58.534{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900818Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:58.534{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900817Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:58.534{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900816Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:58.534{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900815Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:58.534{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900814Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:58.534{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900813Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:58.534{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900812Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:58.534{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900811Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:58.534{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900810Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:58.534{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900809Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:58.534{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900808Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:58.534{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900807Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:58.534{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900806Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:58.534{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900805Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:58.534{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900804Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:58.534{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900803Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:58.534{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900802Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:58.534{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900801Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:58.534{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900800Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:58.534{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900799Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:58.534{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900798Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:58.534{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900797Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:58.534{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900796Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:58.534{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900795Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:58.534{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900794Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:58.534{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015900793Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:58.112{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D18042E8C641A4CE037C9BB647268E,SHA256=9BF191138E6D4CF335F1276593E11B3E2A4B32CA5DC38C45BBDE34EA3DEB71E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015900823Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:56.390{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52055-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900822Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:16:59.659{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=437196CEAF73CD3EA8BA7540DC5224F8,SHA256=B27C938593337E3A448AF367FA008CA3E0902CA4C444CD2611E7B5172958260D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007995432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:00.835{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1600-00000000C801}1320C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:00.835{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1600-00000000C801}1320C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:00.835{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1600-00000000C801}1320C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007995429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:00.304{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E75AF4658D14235A8A55A23141F47B9,SHA256=A79E32899A1601209BD8E083562483892846FC3A63D9C89C552954D6ACFFAD0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900824Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:00.675{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43104BA07D860A109AA32BB2AF2BB901,SHA256=51A3F32AE4AAA6E899588E836A94EF7182257C6C8FE0CF9241B9095C4568EEDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:01.663{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF786EFE9A277464AD8C4D9F82220317,SHA256=9BE3955578FD1FA1CD0E2066D156A919F7941ACD8E748122921A055190CB14B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007995433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:01.663{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C17CA9EBC856401E4A0AC9C54763566,SHA256=4FAFD993717843E5E2803F7D5614CCC428BAE94CEA11C196DDA80BE4282DBCC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900825Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:01.706{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68BA6DA7361726EFC27064BCB8E65FE0,SHA256=81D0FD7A36D3521A9726BF97CB35F26C9162988C749E89EF1E271987DFA8C298,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900826Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:02.708{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3974326EC036CC2B4F9B02B2ECD2EA02,SHA256=4CBF50ADA246F837D4BE14C7FD693E000C0B536EF09C7343C494D6727D320DA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:03.022{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A79D44A948F0A895CF5CBD7555130FD,SHA256=BD65538E141FF3893D1B171226477D4AAD6BC1A83F7BB46306E7B66D04915D8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900828Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:03.752{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC2A398CD8A69CAC1E08EE6B3B2887AA,SHA256=5624C05D0FE5D607298A3CB9CF48CF9CD287D4D62F13CE9961B258F26F6EAAB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015900827Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:01.424{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52056-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007995437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:02.371{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62337-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007995436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:04.429{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C406578064DD4EE9846C149CC9E71D6,SHA256=B0F625CFAB4D6BF41CE23010DAA4607F249A5EE7FA2CC990EA0C3A933459842B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900829Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:04.801{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66FAB1A014620BC20E7D70DF13EDC971,SHA256=B9FBA77466D51158FB4EFB2E374515C5801ABF836080B463EFED321FE6C1E212,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:05.788{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16487473B1883E3E344BDFB29CA00DF8,SHA256=747EB7DCC4B1240786FE27DE55EA639E61CF4DB54FB5B05FC906A2AA8A253A9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900830Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:05.801{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26FB7E6BAD36E9279A18313068001E12,SHA256=96DCEF7817887787C2D8A5E57D5537FF8A056EA6ADFE05C8A1D56640207C573D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900831Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:06.816{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E489E9C17CCD2A50A06BFB50D165672D,SHA256=AB4359C4954BFFD20DFEBB7CF4CC7AD3F66F6993B8B66079D2708F1B0B4D6B55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:07.147{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24AB936460D690BA6CF2906B64E91B97,SHA256=7D529E66D62483D29E07BD415B7C1DC298A986610650EE30947DC7BFA5978F47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900832Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:07.819{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CD20D3A26E993BA7E24D5871713A712,SHA256=23AE3E359A3F798860CE141F332BA391F7AF4949F3C76A8D997183345116C297,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:08.510{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C00A7CB514BF954A57CA30ACEA7183A9,SHA256=481D4A2DB47303F49A9EE7CD7720E6FC1E7622AC8C603CFEE9AF62ECE297587F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900833Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:08.851{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8475CF77E29153B6407E95A0ACAF89C3,SHA256=5F6C6FB003A4B867CD7FA36BD58709450C7DC1C3275DCD021143DA478B94F698,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:09.885{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECD06BED2EA65A349917E701D7BEB066,SHA256=96339B201C5E0F70CE9DAB0779111F6C071358EFE2775BCFBFFF9E5F75F16C4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015900835Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:07.379{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52057-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900834Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:09.866{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=044FEEFE72304FC89CEE65F64351328E,SHA256=0D1CE081A8DA6CAAE053DBF016A206D759AFAA07A5506358D461C12B9F80352B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:10.556{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=274C30EB5BD031AE3A658249159943C3,SHA256=1A9CA1C675C0D7EAA7A83FAE9923232A9D90EDB713AF60A32CEBD5CD62BC3445,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007995442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:07.373{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62338-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900836Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:10.882{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8579709EF5D4587321AAA6635DD03D,SHA256=08991A4EF3ADCCF420C097468E46B1C8440E89E83721DD000EAEB74316669714,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:11.244{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB77E80364F8E15CE4E90FAB4BFF5C25,SHA256=00758870B9758C9FC8AE4FC25C2BB25182B214C6F45E843BC7DE9BA541D6B141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900837Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:11.913{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3FF454E6D2F784010BEF247E5C7031D,SHA256=120B6C63DA089692CDD8EEAFFEE73B6C055D017ED2B0CA81B5F534E09FD87331,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:12.603{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2D5694F2BD0576F43577B54F1BF4FE9,SHA256=8321A6E9A3E0E67C50FE1102851BB411EB8AA62EEC9C120D0E6E09DDCBCAF9C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900838Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:12.929{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12CB8B058451F84926AEB31777DC9CCD,SHA256=42C476C13165AA2A6B1777E6245DC0628491965034108DE1CBEB27D14E452CDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:13.978{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED7A13A40CCA5EA76E41F16005BF0185,SHA256=9C28B3962DE70CF7AB61507EA12613ECF04ECE44F381AC5E870BEFA567812898,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007995447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:10.827{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62339-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007995446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:10.827{3BF36828-DD1D-60DD-2F00-00000000C801}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62339-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x800000000000000015900839Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:13.975{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=054610C1BEE6AF4FEF478D0F98AE976B,SHA256=8B01349BBEEB94AF8F3ABD2EAF0474F8148A29F2D03C7B855848323F3BD93C70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007995450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:13.280{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62340-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007995449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:15.338{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C001D39E7010A0BBDABA767EEF7DE0,SHA256=8DF700ADB6232C0D2A708CD1AC5B1C17BCB3884138D60391466D06C5E7CE42B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015900841Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:12.473{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52058-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900840Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:15.022{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=035BE5CA0BCA15A8105855E063C2D0CB,SHA256=B5F65C38A80C36D6165CBDA32FD1A4E7289759675D641242D00A85DFF700B5DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:16.713{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9A26AF408BC32BB6CAC1188E75B28B8,SHA256=18A1292BF8B4B8025559A41003A9B3C314FA1986B1EE2A17384C0AB1C5C20B98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900842Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:16.085{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D613FF19A15E2F4398EEF26C8695F0A8,SHA256=C4AE5E9A031955A83EDF98FD26A813CEAE0D1BFE5CF54D5E56EB2F53024477E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900843Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:17.100{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB48621F4998EA5A35A8326BE5E92DB3,SHA256=C80FC7AE152813C883F6CF4DCBBAFDCC8FE1E33FC7218AFD734A05EE3538C206,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007995554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.900{3BF36828-EA8E-60DD-4802-00000000C801}26321992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007995553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.900{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007995552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.900{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007995551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.790{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007995550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.790{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007995549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.790{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007995548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.790{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007995547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.790{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007995546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.790{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007995545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.790{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007995544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.790{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007995543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.790{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007995542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007995541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007995540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007995539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007995538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007995537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007995536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007995535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007995534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007995533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007995532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007995531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007995530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007995529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007995528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007995527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007995526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007995525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007995524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007995523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007995522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007995521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007995520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007995519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007995518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007995517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007995516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007995515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007995514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007995513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007995512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007995511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x80000000000000007995510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007995505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.775{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007995504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.776{3BF36828-EA8E-60DD-4802-00000000C801}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007995503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.197{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007995502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.197{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007995501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.197{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007995500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.087{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007995499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.087{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007995498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.087{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007995497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.087{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007995496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.087{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007995495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.087{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007995494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.087{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007995493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.087{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007995492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007995491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007995490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007995489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007995488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007995487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007995486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007995485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007995484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007995483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007995482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007995481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007995480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007995479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007995478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007995477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007995476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007995475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007995474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007995473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007995472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007995471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007995470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007995469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007995468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007995467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000007995466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007995465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007995464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007995463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007995462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007995461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007995460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x80000000000000007995459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007995454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007995453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.075{3BF36828-EA8E-60DD-4702-00000000C801}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007995452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.072{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=709EAE472C3316D6781B7EA1EF4972A6,SHA256=4650E1C9BEC17BF50F888C81D63F799A4E78F212AA7DF107538FBAA9CAEDE608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900844Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:18.116{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=827CC81245BE8925AB92D2CA3AD08B08,SHA256=57BCA3C9368C59976F97835CA901C984CCC4B2B2622FB2C91A111074AE295EAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:19.462{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8661B58E24EAC1B237B03F24AF34A88D,SHA256=BCFF2122E8B755AA2FED9CE368A44C2BD8816AA0C06238106EE2EAA5ED78A570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900845Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:19.147{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A5FCA69C4D732E28B5D1413C523DE9,SHA256=AF2AA490F49783873620E0406CA0A5A7DE1B3FD2FB52F53AADE85090686B2FD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:20.869{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C06914A0F744AAAAF31613A4AB0596DB,SHA256=1B59E18224CA16ED5E9659A8FEF9DCF4FF6576D21B732D20E6CC0081AFD470C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007995557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:20.181{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59B3D622822AC305D07440F555BECF78,SHA256=6EFAB9514255AD06D9792B97B6CD44E3DEEE0BF66A6EC16A517CBDD574ABBAD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007995556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:20.181{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=967EFF3EFDB89408D5C73EBB02BFE60E,SHA256=A1162333F164FF53DD7C4C1CE60F8572B55D1163779BC8622F387D1FF0C4AB5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900846Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:20.179{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D96CC90749A99892E11EE66D88E331F8,SHA256=71488978E0733A2E28ECFC37A652ED106B86C475922BE8F8EB6B87118C909D5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007995560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:18.389{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62341-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007995559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:21.134{3BF36828-DD1D-60DD-3000-00000000C801}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015900848Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:18.363{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52059-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900847Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:21.194{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=375BD95315C12353DC6D58C4DD6D79A7,SHA256=31E2B27626662BCC3B5FCBC7D70311EBE4EABA388607D1CA0D49AD20851164B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007995562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:20.310{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62342-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000007995561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:22.337{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C7EA8534DA5D01EEC8B8185FBF2558B,SHA256=6A82C6C78C31E7254F39957F23DDD53881817035332BB394FCE5AB014CB3CF29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900849Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:22.210{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6C48E04B588A185E86B359EC584BA5C,SHA256=B72148FE1A128ABC494C89E77AF1C8CB8FAAB0012BDB92381AF04E9C3B0AED0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:23.744{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8F2B2E388345A4544F9141F3201473,SHA256=635C56495E83BC26D7FA8CD0E291723A4CA72CFA2F1754D96D1D36CB77876C21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900850Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:23.225{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=021A332F33B74214545BEF583786392C,SHA256=267CF3229164CD0B20041FDC16A7A3D542DFFD09116463D082FF36B0382B669A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900851Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:24.257{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E9B136E71033893E344E81302B0C789,SHA256=80D6E228DA8ABAA9D678B9E35A98313F635DD8E10527915482B4F86A07562581,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007995619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.931{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007995618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.931{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007995617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.931{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007995616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.821{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007995615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.821{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007995614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.821{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007995613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.821{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007995612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.821{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007995611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.821{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007995610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.821{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007995609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.821{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007995608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007995607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007995606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007995605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007995604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007995603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007995602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007995601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007995600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007995599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007995598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007995597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007995596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007995595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007995594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007995593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007995592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007995591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007995590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007995589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007995588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007995587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007995586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007995585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007995584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007995583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007995582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007995581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007995580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007995579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007995578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007995577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x80000000000000007995576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007995575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007995574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007995573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007995572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007995571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x80000000000000007995570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007995566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.806{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007995565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.808{3BF36828-EA95-60DD-4902-00000000C801}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007995564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:25.118{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21131DC56906E9CA2F0ED9CE7EAAAAB6,SHA256=142B1A672724518D4DAE4D2D6F6A3E9F5F680A4CDB0163EA08E83BEE445F7BD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015900853Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:23.519{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52060-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900852Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:25.288{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C222F2E217735AD495E00EBF71E1E81,SHA256=150763C9C4696FCDC3F773663E5989F9E37EB9B160094C0169D693A9D6B9E4A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007995671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.618{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007995670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.618{3BF36828-EA96-60DD-4A02-00000000C801}22165092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007995669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.618{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007995668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.618{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007995667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.509{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007995666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.509{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007995665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.509{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007995664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.509{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007995663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.509{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007995662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.509{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007995661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.509{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007995660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.509{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007995659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 23542300x80000000000000007995658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A33ACD7F94750EC93842355412ACF98B,SHA256=E6C9C0DFC20BB2958C1E4042872C09BA8B526BBC996D2835822C733AB96BC692,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007995657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007995656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007995655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007995654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007995653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007995652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007995651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007995650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007995649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007995648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007995647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007995646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007995645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007995644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007995643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007995642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007995641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007995640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007995639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007995638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007995637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007995636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007995635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007995634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007995633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007995632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007995631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007995630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007995629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007995628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007995627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007995626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007995621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.493{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007995620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:26.495{3BF36828-EA96-60DD-4A02-00000000C801}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015900854Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:26.304{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B9C55C48AB89EB864023347C2CA06A5,SHA256=FECA7EF2EAA92EE321B0205A3065921FA6EB827FA965985B9CB657F907AB319E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007995776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.994{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007995775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.994{3BF36828-EA97-60DD-4C02-00000000C801}2204764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007995774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.979{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007995773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.979{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007995772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.869{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007995771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.869{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007995770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.869{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007995769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.869{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007995768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.869{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007995767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.869{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007995766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.869{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007995765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.869{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x80000000000000007995764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C0E340B80E7255A84B2EB9180D9B20A,SHA256=EEE15EA5A751E167D784701F93B0866C34D428EDD8407756A0EAE61526463701,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007995763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007995762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007995761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007995760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007995759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007995758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007995757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007995756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007995755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007995754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007995753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007995752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007995751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007995750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007995749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007995748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007995747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007995746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007995745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007995744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007995743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007995742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007995741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007995740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007995739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007995738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007995737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007995736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007995735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007995734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007995733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007995732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007995731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x80000000000000007995730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007995725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.854{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007995724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.855{3BF36828-EA97-60DD-4C02-00000000C801}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007995723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.290{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007995722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.290{3BF36828-EA97-60DD-4B02-00000000C801}516704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007995721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.290{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007995720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.290{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007995719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.181{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007995718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.181{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007995717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.181{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007995716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.181{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007995715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.181{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007995714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.181{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007995713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.181{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007995712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.181{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007995711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007995710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007995709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007995708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007995707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007995706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007995705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007995704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007995703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007995702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007995701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007995700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007995699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007995698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007995697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007995696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007995695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007995694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007995693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007995692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007995691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007995690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007995689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007995688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007995687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007995686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007995685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007995684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007995683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007995682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007995681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007995680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007995679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007995674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.165{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007995673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:27.167{3BF36828-EA97-60DD-4B02-00000000C801}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007995672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:24.373{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62343-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900855Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:27.319{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020C49C23F8F09C9BFE0ECB630F72E03,SHA256=32458F4478FDBA0759F0D6F76B48BFF612566E9749071440AF1ABF70685BC313,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007995828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.666{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007995827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.666{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007995826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.666{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007995825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.557{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007995824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.557{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007995823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.557{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007995822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.557{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007995821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.557{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007995820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.557{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007995819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.557{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007995818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007995817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007995816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007995815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007995814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007995813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007995812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000007995811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007995810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007995809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007995808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007995807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007995806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007995805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 23542300x80000000000000007995804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C40F4597A7BC935899322E3C44A93CF0,SHA256=A230D97DC4F3B7763CE7DB619CBEBA3D2BFC5AA6943F31427406C87607B346DC,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007995803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007995802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007995801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007995800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007995799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007995798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007995797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007995796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007995795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007995794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007995793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007995792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007995791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007995790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007995789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007995788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007995787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007995786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007995785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007995784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x80000000000000007995783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007995778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.541{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007995777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:28.542{3BF36828-EA98-60DD-4D02-00000000C801}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015900857Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:28.664{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900856Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:28.320{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60340C7105E0370A7246F45A10AF51A8,SHA256=9B117993EDC9257E29428005C953D81982041D0FD89EA14B577CFB6B8E091C31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900858Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:29.320{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=963404001C42EAFF14AEDC842E058D96,SHA256=7C6D335D20C142843A1210AA11736B311855EB9C0E4C676BFAF61EACF16F4B8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015900860Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:27.957{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52061-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015900859Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:30.320{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F1D44B7FF78F775D880FAA382BA4B55,SHA256=0AE1BA183B0A7CDD10B9FA1ED720BDFC0023FD2C3FE39C0C9EAD3F82319CF901,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:31.557{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B58C3AE1820C987EC2AF47EAA59266EE,SHA256=9C4D50B71B1B6D9063D0700FE4E88C0F89AF79B3988B52800097FA84C5BBE6D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015900862Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:29.411{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52062-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900861Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:31.367{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04708A4448D5B77843BF28F66109304D,SHA256=DC5E658BFD0D0C54A8779928C5C68EC3760105B798D3866AE19722BD9D2F03D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:32.260{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9514F6C8B4E5AD62076BA7827D46F42,SHA256=CF1B382F492C3312CCE9E8DEA3609735A6C59FE7356F5CC3951D09FA2EB703BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900863Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:32.429{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28ECB3726A53BDBB2E2974740BF4B52A,SHA256=3C691FF9AB17D7F4F41DCA10CC9FBDBE4D5E6463139F9B204DD9CB37053BDD5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007995833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:29.452{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62344-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007995832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:33.025{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9690F87E4B28F21D3D87658CED44EC1C,SHA256=87C700E33EC8B71E1C0C178422ACDC4530564563F1BDC0B98E89CEDFBF9D7C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007995831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:33.025{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70FD5D8FA8355812D00A5AA4C7D6EF30,SHA256=9EFB941F692D46020D06F3552D1C1305A079243EF557C6CCF99A1E49E9A16B77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900864Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:33.461{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B930CEB8A90688CC0C56F01EB57E5E,SHA256=87006FE05EC76C166F67E6989630479E61D249FDAE51C0359B88E53CE78119E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:34.510{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9BEF86E3B22ACFF2EF1061961FAC99C,SHA256=CB32AF3CD43E6240864120433AB4E68B33D282C6A59F92AA27C4DDDAAD828AD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900865Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:34.476{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD8B9CDD5C8706A456BA1EEB04936867,SHA256=1C857489885289EC45A1380DF3DAC32B093E435568C2E38996218514D35EFC29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:35.931{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E4E2A26464E91AF93398E3209590C4F,SHA256=CC26C5F27EB836A4BCB9B9D4798F20AA97D91F70F204F82A87217212F6F36473,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900866Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:35.492{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5D84DBE73C6B0CCC2326726D379EAC,SHA256=5E37756F6A057A557742C25EE3F3ECEA217C02D4B1E519051B803664D138B7C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900867Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:36.492{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7692E20CA966459A2DB62CA9EF971E1C,SHA256=E4C874E2C9343BE5BD4BE20FF69D70108047BB39FE6CDCA9950F973E5D868D85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:37.306{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E5B122D12F84B01C6A7606EBFEFE3A4,SHA256=A9B81495D26B847B2DD732E66B142FDAACB4342D87C2FC7A34C1BD97C1F1D61D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007995836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:35.311{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62345-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000015900869Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:35.442{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52063-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900868Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:37.539{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F301086454F293C771D68CF18E13BA7,SHA256=01EE73DF23E195007055A9DD573BFE3397A7D704E031634069EAAEF6F0BA257E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:38.666{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15A43EDB1CC69F37959023403297A570,SHA256=EB28243D1B648948591A0380F3D2CDDB9DFA185ECDB60B6411619F197134C169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900870Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:38.570{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7736F48207C4A12B51B1C9ED6BE19E0A,SHA256=54FF33E4F79BD9DA5AAF6EA13E4FC2B3256299014C83A5BC727D320CE251E9CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900871Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:39.601{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43A6421B54471A1CBF0B3F0B9CA975F9,SHA256=6C74A9CFE306A32DB1C6514847E715A879F04D0B054CF885542BE403F969F899,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:40.025{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA958EB89D326EDB8C12D54730B134F,SHA256=CFABE50B3D7EB52EC6D4ED1406A03FAB6088E0A8C08398CC8ECA79A137A6B55B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900872Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:40.601{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54D8518A3B176AEAF1B17C577AFB1685,SHA256=2BB72FAAD35EE8D0B8128F03B15F1CE1C9B700F92AA6110060E6AEC83309968C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:41.400{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2DE7EB08B577D3A90C3EDBDC9474BB,SHA256=A40B4C5E17F3068429CBA7E9F752A85F4A3BA6D6D0007B50FBFD06D76C4D0902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900873Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:41.617{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A15D6939E2FF11E4C928A1F031FACA69,SHA256=E52317BADFB045CD9E8854E10FA9495BA260EE1FF487AF0B9BE0D34A7231C1E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:42.759{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D2D71FFCF1085973CCD02618B643EBC,SHA256=AA1E4866A002D67B7401137FAB68174D77FB1AF71B65899B74F335DECC5789C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007995842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:42.462{3BF36828-DD0D-60DD-1200-00000000C801}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=38DA3F0AD5E32C8E864F6714CF45639D,SHA256=AE9B6D6295620FC5A5EC18655C343E4D4585545F1F3B8ADCB624115C81F91C32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007995841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:42.072{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DE57C1AC3CC848C26BBD15666B14194,SHA256=9D21A36EEA5ECF5E87E2C9CDAB5FE0ACB2FF3FE107BAF0FA753EAC474F28A2C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015900887Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:42.742{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EAA6-60DD-712A-00000000C701}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900886Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:42.742{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900885Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:42.742{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900884Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:42.742{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900883Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:42.742{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900882Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:42.742{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900881Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:42.742{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900880Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:42.742{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900879Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:42.742{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900878Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:42.742{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900877Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:42.742{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-EAA6-60DD-712A-00000000C701}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900876Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:42.742{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EAA6-60DD-712A-00000000C701}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900875Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:42.742{B81B27B7-EAA6-60DD-712A-00000000C701}444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015900874Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:42.632{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=167B39F1C1A627952AD18ECEC8BE06F2,SHA256=43290E9C128B2BA4A5BFAF0B6EE9F78AC533EBB8A461A69F3A205D253787ABD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007995844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:40.358{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62346-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900918Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:43.976{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3A71C59C41932D6976AC97736AA9B64,SHA256=0166D608153401EC9976F0076D976E2EAD6BA170BB33C843183B4F8F121E2532,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900917Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:43.976{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02A383F7793762913979D90115AE1269,SHA256=160996AF8196C01D3410FFFDF9FBE62FEAB5468ECF16634F7F5C2AE0CC7D722A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015900916Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:43.961{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EAA7-60DD-732A-00000000C701}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900915Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:43.961{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900914Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:43.961{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900913Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:43.961{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900912Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:43.961{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900911Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:43.961{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900910Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:43.961{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900909Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:43.961{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900908Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:43.961{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900907Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:43.961{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900906Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:43.961{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-EAA7-60DD-732A-00000000C701}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900905Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:43.961{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EAA7-60DD-732A-00000000C701}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900904Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:43.962{B81B27B7-EAA7-60DD-732A-00000000C701}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015900903Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:43.961{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B7F681EF9983784F080D52F24A780E1,SHA256=4779F0D10043A5AADE6261C83A4FFD0452680FBB5A0602E56BCED72DB7237B4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015900902Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:41.411{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52064-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000015900901Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:43.554{B81B27B7-EAA7-60DD-722A-00000000C701}27285260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900900Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:43.414{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EAA7-60DD-722A-00000000C701}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900899Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:43.414{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900898Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:43.414{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900897Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:43.414{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900896Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:43.414{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900895Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:43.414{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900894Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:43.414{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900893Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:43.414{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900892Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:43.414{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900891Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:43.414{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900890Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:43.414{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-EAA7-60DD-722A-00000000C701}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900889Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:43.414{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EAA7-60DD-722A-00000000C701}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900888Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:43.414{B81B27B7-EAA7-60DD-722A-00000000C701}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007995846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:44.822{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EA6B39303DECBDFC30E15CA58DB4540,SHA256=4D34DE77320C6C0E679D679F3B129AC078EE40CDADFE6F603AEF6FD357D8B333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007995845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:44.134{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2765495F4DB007C0FECD14EAEB1821FD,SHA256=07B1FF90491EB927C120FEFCBB8AEF7667281D457CD26766D59093E1C805FA00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900919Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:44.679{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD186E41CDCCEEBEE8C2B83171C84A59,SHA256=6F5F655839DBA046D8F27281BD65ADE9CC1C0F56993C569C5802DA12C8299817,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900921Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:45.679{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=573C21086956554A03BD09A6E622AB68,SHA256=3B84AD3B6F222C179585AB86658394BF82166FAE04F8E80538C863BFD313B335,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900920Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:45.117{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3A71C59C41932D6976AC97736AA9B64,SHA256=0166D608153401EC9976F0076D976E2EAD6BA170BB33C843183B4F8F121E2532,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:46.181{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E8F6E540317E49057B2F829D86AB7F9,SHA256=F54133E59DAE5622F2F1E0EA613CD63A55A9A24A9AB2DE006EE1EF5706850323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900922Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:46.695{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47659AD91FDE479982C870EC469DE32B,SHA256=B92C706036E27CF2173BC48C2EE93917B5ACE86EF12C33FE8F53C688E3025CB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:47.556{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F067174C911599EF8D3A010E4621AB15,SHA256=A820FBA172D762C6A3E401F24F474ECABA5FFED666CDD53D2B0576CD71ADC404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900937Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:47.716{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DCFB91B93D7BF286A2EF60617A417E6,SHA256=AFCF83D9DC64BDE941C4A5D4BC5B1BAA73DF341FF139A25A7DFB14A6DEA04366,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015900936Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:47.570{B81B27B7-EAAB-60DD-742A-00000000C701}7445048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900935Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:47.429{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EAAB-60DD-742A-00000000C701}744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900934Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:47.429{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900933Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:47.429{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900932Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:47.429{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900931Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:47.429{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900930Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:47.429{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900929Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:47.429{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900928Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:47.429{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900927Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:47.429{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900926Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:47.429{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900925Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:47.429{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-EAAB-60DD-742A-00000000C701}744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900924Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:47.429{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EAAB-60DD-742A-00000000C701}744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900923Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:47.430{B81B27B7-EAAB-60DD-742A-00000000C701}744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007995850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:48.921{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DE0900A3D1C99F4445C774AB6A5833,SHA256=73113FE5B518F3620FC5A8856531833EA59185CB08DEFBF994951ECA549FD8DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007995849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:46.389{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62347-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000015900968Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:46.426{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52065-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000015900967Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:48.794{B81B27B7-EAAC-60DD-762A-00000000C701}18405824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015900966Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:48.747{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17097A5BAAE292F153BDF9CC2A661E7C,SHA256=EB0F93BDBB2F7F23AA5D99CD2816715AA47E4920D0F311FFF965F431FB651D16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015900965Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:48.653{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EAAC-60DD-762A-00000000C701}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900964Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:48.653{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900963Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:48.653{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900962Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:48.653{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900961Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:48.653{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900960Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:48.653{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900959Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:48.653{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900958Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:48.653{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900957Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:48.653{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900956Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:48.653{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900955Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:48.653{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-EAAC-60DD-762A-00000000C701}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900954Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:48.653{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EAAC-60DD-762A-00000000C701}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900953Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:48.654{B81B27B7-EAAC-60DD-762A-00000000C701}1840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015900952Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:48.481{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=294C58CA83F71E3640EAC27870FC91CA,SHA256=FFABEBCE33C6370E86CB90BA83FE9F643B959A52DDB765C9A30395C67AD912AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015900951Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:48.184{B81B27B7-EAAC-60DD-752A-00000000C701}10762296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900950Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:48.028{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EAAC-60DD-752A-00000000C701}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900949Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:48.028{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900948Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:48.028{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900947Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:48.028{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900946Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:48.028{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900945Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:48.028{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900944Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:48.028{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900943Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:48.028{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900942Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:48.028{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900941Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:48.028{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900940Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:48.028{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-EAAC-60DD-752A-00000000C701}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900939Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:48.028{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EAAC-60DD-752A-00000000C701}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900938Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:48.030{B81B27B7-EAAC-60DD-752A-00000000C701}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015900983Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:49.763{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6E8E16BBA53527AE7DE6D3DE5269C77,SHA256=DA00B08339695EA5B80A4E0C490D6EA6F4162E622816831775AC6A54A4ABA279,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900982Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:49.684{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5672087D7E9572AB62C558C20C0E46F5,SHA256=53CCCA209894FD7ADA6BFD3364E27F093186AEF2AB411E2357334EDA7926574F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015900981Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:49.325{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EAAD-60DD-772A-00000000C701}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900980Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:49.325{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900979Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:49.325{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900978Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:49.325{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900977Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:49.325{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900976Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:49.325{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900975Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:49.325{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900974Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:49.325{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900973Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:49.325{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900972Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:49.325{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015900971Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:49.325{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-EAAD-60DD-772A-00000000C701}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015900970Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:49.325{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EAAD-60DD-772A-00000000C701}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015900969Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:49.326{B81B27B7-EAAD-60DD-772A-00000000C701}5480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007995852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:50.967{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=156D6BB1330B3D7D8D5B11BE3ECA53FD,SHA256=2ECED11A865423C8AAB316BE9F865E42C6A4E4266163B664F5BBC7DD8F761494,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007995851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:50.280{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E99032AE057EEE14DDD9B91F0739140C,SHA256=DD801C5AF30CC461C2901B9D3CDA1DE059CC633D94AA8B0455FE85C74BF191AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900984Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:50.778{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD4D5024FCEBB7A40206C775C0487A13,SHA256=4A6EC61709733F0E0D83CF5BD128B35EA969ECC318EFDC71D82982097FCE4AEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:51.655{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8901211B69251C01E579FAA7974044E,SHA256=9EA5F6873DE2250057863F2A0554D3A0CAB79FD0F2772F23995D5FA748B03824,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900985Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:51.794{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C0FF6D193BF55A370F19D374E3DE531,SHA256=5ECF88A5F6E96B92C10FB23A3ACB38F82351BAF43D9CBF91AEB77BBEF96C197B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900986Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:52.794{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E17B467C431594413968BFA50B673857,SHA256=88F5026F2590AF43338E9CE10F1E476EF52A2705246C5C31FA158CA9F1A2F605,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007995855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:51.457{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62348-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007995854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:53.014{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=568146E1EE8CC83AB89DC1134E7623A8,SHA256=C84727D8DC55178511B23ED5DDC87BF2785EE90C804EACC32EC7DEE500162BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900987Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:53.825{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C52DEA421C56702BFC11DA37382AAA2A,SHA256=8864CD9E77EB153022CC0998D20B282DE12E8931D3EAC711534AC40A0FE8FCFB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:54.373{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D900248BAC340A68BEC70CB221389718,SHA256=CFD871A4B4698E0C726B643EC68E74810F52DED93441FBE63EFC463BCB9C1B90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900989Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:54.825{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F640DDB91DECBFA0206806EB24ADE42,SHA256=8DCB8DB012E8FCE0B9690BEBB94E59B7B9EADF782FE1ECAD1B8A2C3122ADF4EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015900988Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:51.447{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52066-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007995857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:55.749{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9981CC61AEE47071CA62B2F7A1B72EF6,SHA256=8B62E14E0F484728E3FD5A4D5032BC1E1C2918B0CACA0006A1E02BCC1C202F72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900991Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:55.825{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E3454513C2ED9652D1AA7A705CF5172,SHA256=67904643CD348EECE3C3A11F42BE6E64AB4B99D95493D231F1D979DD68275B32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900990Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:55.434{B81B27B7-880A-60DC-1000-00000000C701}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F97DE2B75B5A4C1BCEDA38DB52E2AE5B,SHA256=C41815FB670F8359B4FC23FB38D90532E478E0128B25A2A16783EC0478FFCC3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900992Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:56.856{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5AC109FD150F6000EF71C64785B13BC,SHA256=C52437665E6866DB8AF44EE678F0103D31AD1FF70198DEFE661F75132B9DD94A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:57.109{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A113F04D1F2390C9B118D8052BA5F6A,SHA256=FF1D63079884F69D5A6B991F2373307E0C2B96DF09F5EB7E4CC90AE1BFCA906A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900993Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:57.856{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC9E393739A71D363CF7733C8444D6E3,SHA256=802EC9E2B3023F01CB27ACCC96B4B1A3375C13275B99FB28D6049092F4331C2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:58.469{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B9A6D7A868AE6C1B8484E5D36563FC,SHA256=B24BEB3D8F1D614C38161191331650073F98E17D91DD8363D61CE0F264D4A975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900994Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:58.934{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73E4A6F1B5C9CEC11B481ADD9DDDF8C2,SHA256=BE3ECE80B3112668D23D8EEF78DF0AA3E416AC7590A7C1F3C7AD3375F2106807,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:59.844{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=345BD157DB69D91C6C9E8B47387D5BBE,SHA256=875BD0753D5D7B64795F4FC9D0FCD14AB2FCEFED843B0EA96C59B09E8FF1CA42,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015900995Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:17:56.509{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52067-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007995861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:17:57.349{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62349-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015900996Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:00.013{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6299DAE9CA65ECF56B8CB2B8CC22BFA4,SHA256=C7677B8C350ECE2B99097C86DE567A5707CF6384207BCAD18CF91AA89070254C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:01.875{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5791D067F6684DC3581BB0A836EF26,SHA256=32F3B8A06D7FADEA77434CCF912CFB37B26BD78E84C7C1DB56DA98CA66690444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007995862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:01.875{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0ADDF281781B554366FCDF1394D6A173,SHA256=14D7264847E1F40B745627BB620B3BD234BD41E3565CE9F65CE2E374F988D468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900997Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:01.044{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C11E93E22B1237ED59B38B5B32100B1A,SHA256=3F554E413C5524E88DA61F7B57D8730FD00E2AD6E96F3A731C637E756220F99F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015900998Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:02.075{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=053BA5792567DE1169AE322902A08A8C,SHA256=036CF493D0DF77BCE204CF74E29D93F5C4964E4E4264CAAAD6C7D9756D2719A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:03.250{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE37C3BA87C5956C3C28D7A061A7E557,SHA256=6976CD1EE5302A31DB0A7ECB35BA91BBE382659D8B2D9C4A426579024F63EF19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015900999Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:03.092{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A3563000C42E5CC57A2CB57A272F09,SHA256=FC8AE7240397B937CAAC7DF80676CA65C8EFA7B285F9DAF16BFCE80A8569639B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:04.625{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70AD2CBFFB2A5980038CC00361B68A9F,SHA256=687BF21CC42B3DE708DF2ED84775AA72B7D2D734EC0CD467337B4950248C4C26,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015901001Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:02.353{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52068-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901000Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:04.152{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=564AB1013F79186A3956B5FCB874879E,SHA256=1F98E184D5C1756582C7A38B0A4AA5D4C233814F0DE1B1776723301B1D64C42B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:05.984{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47CE00CA4C18B5579A9C004D4DED4C1D,SHA256=FED5B2A0817149CD4FACC829391CA88D315CE308313D4BB786DCE0F03525FDE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901002Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:05.155{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10BADD3B794C846D83F4F46539B4F8F3,SHA256=B2C6E7D30A4DB6E78E47A6CB3C4227BF3143601EA32765B31587FD5D0FBFD6BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007995867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:03.286{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62350-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901003Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:06.186{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DD861420F4A9E519168D858E9F9E591,SHA256=DB5567A9FE21DA6E6DBF536185F9592A9AEACB1097B6342F65623DBC7247BF24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:07.359{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75FB3C780C795A2E76E596889C5C883D,SHA256=15AB5EBDC42A0E3D3E1B6BC3B4F6078E9F933E891E2B17859C55C21D4E3C5EB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901004Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:07.217{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20BFBE3D284B98FAA9FE243C392CE4AC,SHA256=CA835369B44AE6A499D622A022A5C338EC69FEAA8C01F44885E5ABD5FB07BA58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:08.721{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F161023E632F5F5A8978F4891F57717,SHA256=F3B7BE041761E7C983E6334B86FBB9713767856AAA27B05E747E62679826CE49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901005Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:08.237{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92742D64BAAD6129561FB47564592EE8,SHA256=3324DEB68E90A4357C824A1BD99986E583E99C9E0FAD553812342F689A896BD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901007Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:07.375{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52069-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901006Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:09.268{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=794D34362FF12ACAB62DAB9AD0BD2C21,SHA256=FB1CA7C2942132C68B9C2BCFD36795C9503044C5A809D49B6CFDA0B2CB2F30CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:10.081{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C31216584C3B5666C9A6D7DE79DC7363,SHA256=8D3443983027665D0A1BD51439813FB5E98D1C521C136F0C4AC7096183DF798F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901008Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:10.284{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A223EB076A14A376B9F7D2A1F71DC53,SHA256=5B7BE26D774BD87C9C34D440CFD60C429AEB9B2DC55EC96ED3DC569200941372,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:11.456{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1722E9AD52A388F5201A886B871FE65D,SHA256=329796C433AC79B36C9355C12103440D7E96020895BEB130470324502F7BD9D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007995872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:11.456{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D65BC6396E0408F15A617B52FA0CE4AD,SHA256=7B5C66CCCD68ABEE97A1B219BFEB84F67D32835B1D00CA024FECC6398B9CAE32,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007995871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:08.336{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62351-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901009Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:11.315{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B076BBEC2F20A22CE26C7C61B71EE91C,SHA256=D369C97D30F97446E447EC2E65CAEAEF78D709E6463B182647D9F7E0DE8E9EA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:12.815{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2961160F3DFD041B8ECDC38329CC1E7,SHA256=75B10ECE16FF3590A7B316946B6553DD78E7A3E2E9BB517A819D519C3A762E0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901010Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:12.331{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A598B21AED1E2A75A738088FD2BA1BE9,SHA256=FFB9A52337DE5F021AF18C733176A51D0DACAC14356CDD07ED56AF0FD135EF29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007995876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:10.836{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62352-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007995875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:10.836{3BF36828-DD1D-60DD-2F00-00000000C801}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62352-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x800000000000000015901011Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:13.347{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=658D60E5D9312A5E347B4570BC6BE481,SHA256=9B626C71091061FBE2A629FAF3C02F2F70ED430726EFB08B9E32F3110C3342AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007995883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:14.846{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\tokenbinding.dll10.0.14393.2363 (rs1_release.180625-1741)Token Binding ProtocolMicrosoft® Windows® Operating SystemMicrosoft Corporationtokenbinding.dllMD5=8AD65F608FD6964085B365A43F8DBEA4,SHA256=E088353C88877763D4E5BB6EB7FB55C81908DF639A9AF89EECA546FD9EDB18DE,IMPHASH=EDBDD2E193CED10C0D380B250BFC13C5trueMicrosoft WindowsValid 734700x80000000000000007995882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:14.846{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\TokenBroker.dll10.0.14393.4169 (rs1_release.210107-1130)Token BrokerMicrosoft® Windows® Operating SystemMicrosoft CorporationTokenBroker.dllMD5=9ECF3BE652A6FF4B5C4744697FDDABA2,SHA256=00DF6190CBF64C8840C1B9068A844D4A6584E6D82C8C6FD78CFDB10184F815C7,IMPHASH=F91C8ACC62DFD3D725FAC2A0CBB6AA8FtrueMicrosoft WindowsValid 734700x80000000000000007995881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:14.862{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BAB,IMPHASH=AD7CEB919D43FA2BD394EC803EB6BCDAtrueMicrosoft WindowsValid 10341000x80000000000000007995880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:14.846{3BF36828-E8AA-60DD-FC01-00000000C801}34881600C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61acc|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000007995879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:14.846{3BF36828-E8AA-60DD-FC01-00000000C801}34881600C:\Windows\System32\RuntimeBroker.exe{3BF36828-E8AA-60DD-FE01-00000000C801}3560C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61acc|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 734700x80000000000000007995878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:14.846{3BF36828-E8AA-60DD-FC01-00000000C801}3488C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\OneCoreCommonProxyStub.dll10.0.14393.2395 (rs1_release_inmarket.180714-1932)OneCore Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreCommonProxyStub.dllMD5=02CEC1566FB0709923FF7A9FEC254D96,SHA256=81BED60AEB79C489E9F79996A3F0AB626E6CA247EBB656B6B9897C47A39F6AFB,IMPHASH=69A8B7E9F373278F52FE45A83CE3A380trueMicrosoft WindowsValid 23542300x80000000000000007995877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:14.190{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32A128B48A68646B8F541EFEBB107A1E,SHA256=1D9899B1389EBF9BE1E8412DF5B3C6E075FAA88E43CCDF68036369424A5B2028,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015901013Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:12.546{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52070-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901012Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:14.347{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55ACD77280F99FEE78314894D61AB866,SHA256=FA6850A3097F7934DD7C9E6774E91887DCFA018985B5F993D124F0C4D349373C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:15.549{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A87F2407EE4A47CA25BAB49CF5FD09A2,SHA256=B00381EDE16E51134B5D88286593C8F92C9A56B363113BA11FB9E64AC7688BF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901014Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:15.362{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22E523E71B3D4D6955CA0A1A2ECB87BB,SHA256=8E6B1C452AB21FB2C0AC4EB25993D62098692445A9C148DB5A2291D402F4AEEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:16.940{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1751E40360E0EABD5A4AEEAF260222AC,SHA256=2A4F5CDFE870E63154500F47AEC11BA84F19C013C336BF566604892081D9DD6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007995885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:14.242{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62353-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901015Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:16.378{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E59B85C442CCCE29843F133AC89DBCE2,SHA256=FFFEB6E2DB9EF108FEB4BB95E91B201E8406A827D045F66340406D26D4682D3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901016Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:17.440{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD96912E2609600F50DB885ABDB98F46,SHA256=ACA306B8470C2F309CE0A627A33BFFF750E10100CE8275EA1E6401C28189DD06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007995963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007995962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007995961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007995960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007995959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007995958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007995957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007995956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007995955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007995954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007995953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007995952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007995951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007995950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007995949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007995948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007995947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007995946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x80000000000000007995945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007995940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007995939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.989{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007995938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.440{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007995937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.440{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007995936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.440{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007995935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.330{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007995934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.330{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007995933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.330{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007995932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.330{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007995931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.330{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007995930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.330{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007995929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.330{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007995928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.330{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007995927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007995926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007995925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007995924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007995923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007995922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007995921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007995920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007995919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007995918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007995917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007995916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007995915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007995914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007995913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007995912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007995911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007995910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007995909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007995908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007995907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007995906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007995905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007995904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007995903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007995902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007995901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000007995900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007995899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007995898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007995897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007995896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007995895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x80000000000000007995894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007995890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007995889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007995888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.316{3BF36828-EACA-60DD-4E02-00000000C801}4892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007995887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.315{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDD2C7579E1943E5B8655F70341E6D28,SHA256=950FCA24FE7257E1C9F2749A6848205088C317158D7AF0FAF16A2DE7845A410B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901017Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:18.456{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E938BD966FF314CA7DC1757EB9B3C50C,SHA256=C8382E5AC1E6FA4E148C0AA0750F8FBBFA9FDD57CAB0E6B40291F0B710D6BA50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:19.674{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48C2D8FB3161A7CB8A2B8E0C056ADA50,SHA256=0FCF27685AFE8776AA42DDDD68DE4FC619A75C1949D8BC633289D824E4A03C99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007995989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:19.112{3BF36828-EACA-60DD-4F02-00000000C801}34204956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007995988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:19.112{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007995987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:19.112{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007995986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:19.002{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007995985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:19.002{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007995984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:19.002{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007995983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:19.002{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007995982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:19.002{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007995981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:19.002{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007995980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:19.002{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007995979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:19.002{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007995978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:19.002{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007995977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007995976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007995975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007995974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007995973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007995972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007995971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007995970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007995969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007995968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007995967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007995966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007995965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007995964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:18.987{3BF36828-EACA-60DD-4F02-00000000C801}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 23542300x800000000000000015901018Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:19.456{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3D47A9577F6C37C8A789D2C58E9753D,SHA256=98F3A689C5B733031AF3F8661D6B2952DFA80D2C2D6368BFF616A24EED85625C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:20.346{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5580665707D86B9598A62373D1BD665E,SHA256=E1AAEB091681A7F1D5B68DAF3096841CFEEB31D2961967E5490AF7C10171D4EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901019Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:20.472{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=800C626B460CF584DD142357D37927E6,SHA256=23D2D73AFED31947F7CC59948B0B18511B809CE57DFC4EAC86017E628C987CB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:21.158{3BF36828-DD1D-60DD-3000-00000000C801}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007995993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:21.049{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A1CBAA6280933B5EB422082EC50DEDB,SHA256=932680B49D5350DB3FD2D83D0C5567F68A853EBB8116F1CCE714AF5E518E10B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007995992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:21.049{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3343CF98D7A90DB121917737C040BE7E,SHA256=F49CB1E08E4C49C3FB0D6C25EDD5DF586B6E78A806842409B93D1FC15572635A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015901021Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:18.453{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52071-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901020Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:21.487{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19EC1BBAB041DFDCAB77EECC04F5009B,SHA256=78EE156F632B24563D1C4F77EDD29A5704958D8CD3550E2AE1581F43B66210B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007995996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:19.367{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62354-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007995995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:22.502{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55AD2875341C32E1D59E38026BB00204,SHA256=C7F83BD59700C1059599F9C77F36AF5CEB140FBB60497B906863EABAC2CDCD8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901022Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:22.518{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E623DEFCF35D6C558552198C8E81A73D,SHA256=A92BBA6E79278B43AE08AAB1ECA327A71661B898E0734FCBE06747CFB91F8552,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007995998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:23.924{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F541AAD738DD8CA7D4C210D4A0519EB,SHA256=A21A0238B02066EEC631AD24ED039DFC06CA1E44C23A5941D6A637862332ABF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007995997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:20.335{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62355-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015901023Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:23.534{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D1976C61843586E02A1C4DB76865DB,SHA256=A50A374279D3DE78913260A74D15930C67F4A30D9748B223DB357E58ED2D5A89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901024Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:24.550{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A50CB22B735B558A317CD2F528F300C,SHA256=B0088A8E89FE41C78E7BA3BFA5EADB163A449200691EB6E27BD149CA2D70341F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007996023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007996022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007996021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007996020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007996019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007996018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007996017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007996016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007996015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007996014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007996013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007996012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007996011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007996010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007996009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007996008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007996007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007996006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x80000000000000007996005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007996001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007996000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.989{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007995999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.299{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79972F7234B59284BDEFEB09A43A9534,SHA256=BE40F8E33B878A34D85E3F21DB139A14BA068533DABF6EA76360561A3FF45558,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901025Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:25.581{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0F4D84799FA1F75B34EFF3E4040B67,SHA256=4DB61F8E28F79A80CB0FA1313BC7A65ACD97009BBBD4A01BE7F19C5EA57CACE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007996106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.799{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007996105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.799{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007996104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.799{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007996103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.690{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007996102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.690{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007996101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.690{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007996100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.690{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007996099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.690{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007996098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.690{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007996097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.690{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007996096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.690{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007996095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007996094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007996093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007996092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007996091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007996090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007996089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007996088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007996087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007996086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007996085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007996084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007996083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007996082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007996081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007996080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007996079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007996078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007996077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 23542300x80000000000000007996076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7FACA1A8986E3C4EE410CD6951CA3F1,SHA256=D9BC77D86578AEB7CF5EB687D9069D050C0E00B9AC96B661A5487487AA17D3C9,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007996075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007996074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007996073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007996072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007996071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007996070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007996069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007996068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007996067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007996066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007996065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007996064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007996063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x80000000000000007996062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007996061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007996060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007996059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007996058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x80000000000000007996057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007996052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.674{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007996051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.677{3BF36828-EAD2-60DD-5102-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007996050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.127{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007996049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.111{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007996048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.111{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007996047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.002{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007996046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.002{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007996045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.002{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007996044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.002{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007996043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.002{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007996042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.002{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007996041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:26.002{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007996040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007996039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007996038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007996037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007996036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007996035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007996034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000007996033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007996032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007996031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007996030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007996029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007996028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007996027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007996026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007996025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007996024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.986{3BF36828-EAD1-60DD-5002-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 23542300x800000000000000015901027Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:26.581{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A87525864F3E0F1382AFE7B48AC0422,SHA256=BBF5AF19D60DEB3229B75D2258F2FCF60DC3511E4BC96C28E1526650DF1F9100,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901026Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:23.515{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52072-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007996158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:25.257{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62356-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000007996157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.471{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007996156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.471{3BF36828-EAD3-60DD-5202-00000000C801}50321708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007996155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.471{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007996154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.471{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007996153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.361{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007996152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.361{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007996151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.361{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007996150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.361{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007996149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.361{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007996148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.361{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007996147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.361{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007996146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.361{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007996145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007996144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007996143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007996142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007996141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007996140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007996139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007996138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007996137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007996136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007996135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007996134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007996133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007996132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007996131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007996130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007996129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007996128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007996127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007996126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007996125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007996124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007996123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007996122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007996121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007996120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007996119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007996118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007996117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007996116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007996115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007996114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007996113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007996108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.346{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007996107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:27.348{3BF36828-EAD3-60DD-5202-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901028Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:27.597{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=495E6136F98AB0AC37CF946F3538D71C,SHA256=8ECC0B9625CF11C16618D0AD90BEE922ED8401772706325626CF11CB94D835CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007996263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.845{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007996262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.845{3BF36828-EAD4-60DD-5402-00000000C801}47644228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007996261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.845{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007996260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.845{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007996259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.736{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007996258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.736{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007996257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.736{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007996256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.736{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007996255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.736{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007996254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.736{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007996253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.736{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007996252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.736{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007996251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007996250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007996249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007996248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 23542300x80000000000000007996247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C193E67859ECCFB2B4C46230BC6E7943,SHA256=1F2AAFDEFEFE8D1BFA8F107347D8B250395743CDEA764F25EFC3CB2F8076E0BB,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007996246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007996245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007996244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007996243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007996242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007996241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007996240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007996239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007996238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007996237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007996236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007996235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007996234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007996233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007996232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007996231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007996230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007996229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007996228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007996227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007996226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007996225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007996224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007996223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007996222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007996221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007996220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007996219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007996218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007996213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.720{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007996212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.722{3BF36828-EAD4-60DD-5402-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007996211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.173{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007996210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.173{3BF36828-EAD4-60DD-5302-00000000C801}44483588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007996209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.158{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007996208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.158{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007996207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.048{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007996206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.048{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007996205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.048{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007996204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.048{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007996203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.048{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007996202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.048{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007996201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.048{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007996200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.048{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007996199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007996198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007996197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007996196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007996195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 23542300x80000000000000007996194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5458C6BF6C90EFF34EAA2B6CC32A2167,SHA256=B3515C5C0999F54C3191513CA340EC00D8CF73F37AA714D8BD2E5015ED6F72BE,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007996193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007996192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007996191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007996190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007996189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007996188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007996187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007996186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007996185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007996184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007996183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007996182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007996181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007996180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007996179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007996178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007996177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007996176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007996175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007996174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007996173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007996172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007996171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007996170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007996169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007996168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007996167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007996166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x80000000000000007996165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007996160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.033{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007996159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:28.036{3BF36828-EAD4-60DD-5302-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901030Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:28.689{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901029Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:28.642{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E495BD698FAEC5C0E6BC43490FECA4CA,SHA256=FE7CA5CDD338A7DB8B625601B2D57A1D9720878831391AAD2B62D00F10D11BC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:29.439{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59E3DD1B92E3C5FE61793E969637E488,SHA256=A3571B599E534091E4B6412C5B887427526671C88BBEE569FC32D09BDEC68208,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901031Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:29.642{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A108B1FDA0850AE72247D67F7834914,SHA256=4D64AB29E854F065A88ACFDB0DAB0453E60CE796AF3D77E9B335FB7124801025,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:30.877{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D78575F01EF361B4BB9FA5AD0B99F3E,SHA256=C476FBF32FC22220758F1CE624501B5EFE9805E0B17E7B819786ECC79CF8DCF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007996265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:30.127{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DFCED383B25B36B71D2EEE26073D7FD,SHA256=2CDD7F14127CFFC970ECE6B414421C0D4F73700745C058B7073DE09D40D27DA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901033Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:30.673{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6D05F89849E9B4A96941D12805612A7,SHA256=6E25481C6936FFE7D05F120777867A6C4B23885726E427F8C56B3C1F44A84415,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901032Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:27.982{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52073-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015901034Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:31.689{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7547900ED82354E8C3B06E92742F3F50,SHA256=443762B082946E2A17307054C66E1AADBF3499B6C74792575683EF3D70A0FD96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:32.892{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E535267DAD6BC1DFD0FD85F2E69DB936,SHA256=2DD4706B69DCE5A506F5EBB388FBF751314256D788E52717F9ACDC9F22EC22E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901036Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:32.736{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F4D45F8B491B035040C6180D629623,SHA256=4EFB337B069DB27B19826A60A7A97C0A1750A77DF0BC5A9E6E7C7F0076CF09E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901035Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:29.560{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52074-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007996270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:33.892{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D2D4C940A2083E531B881AE7498292B,SHA256=F0A6C9C762C45D75CAA2A6D0568ED11AA820DD216FA198D156A1778FFBF3EABF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007996269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:33.892{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A51F7602347297C5DBC00BE0C8878972,SHA256=94E459307FC7EDE6E5F03D216248B31A6D15B4892B502AA628DB8FA49796316F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007996268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:30.413{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62357-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901037Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:33.751{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA8854ACA6A6FB5235509E68E7B4D482,SHA256=B245D1CC16C2FCA69574ADC14D4DDFAB6591CE8A3A035EE016F0D0E580F02CED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901038Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:34.767{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F11E5C079B16E25F69C02E223F0D0053,SHA256=DB4DD9DD549A5CD92D86BED5BFF908D8E54427DC19D8EFD43289DEDA8629B7FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:35.126{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4349F1DF2CB567F179C92B0AB5055838,SHA256=F7D034F21C3806235D6C41175C361B574732C80BF8AB1D9907F52429ED4C4D3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901039Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:35.798{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61CB1B4E45DC89203EB496D972640B1C,SHA256=42B3E58AEB5D3F0091D94FF80D5674A9B2762AD0E7EEC6E895C38C4FCECA0976,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:36.501{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C15A5D2A587ABDA3ACEAE8A134BE54C3,SHA256=B09A8D632CA10B5B5823FCE46CCCF1DFC370344A56B8644A65421ED0F3423562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901040Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:36.860{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F459137EFD854493538317915F9432E,SHA256=12F4B7A73F5131A067AFD79D61555F06FA84427E270EEE1DF8F89A7CAC944B9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:37.876{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8877A7EDF701BDAF8ECF500B4342A782,SHA256=9E223D6A853E60464FCB9BA8B1A0A88963E1E1421BDE79F75CEF828B5A3C6EAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901042Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:37.876{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F9FBBA18F4C5C17663F6D8D773434A3,SHA256=81478E5EDA831DC32F09F1EE2244B462940FCF19283A45FE1177F58B8AE60BD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901041Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:35.310{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52075-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000007996275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:38.908{3BF36828-DD0D-60DD-0D00-00000000C801}9244328C:\Windows\system32\svchost.exe{3BF36828-E975-60DD-2802-00000000C801}3792C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:38.908{3BF36828-DD0D-60DD-0D00-00000000C801}9244328C:\Windows\system32\svchost.exe{3BF36828-E975-60DD-2802-00000000C801}3792C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015901043Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:38.876{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56C7409290B49769D14D2E5F3434480E,SHA256=60450C2281B0944CF3EFC27AF562D305BFFDEEA5C90953A92518674BD59A82E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007996277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:36.194{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62358-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007996276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:39.236{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0057436766DE6F47CFB994038CAFB4C,SHA256=2A5D92FC928D8974B420925D20693B0199A354B9DE3691CB0F78BF0750328FA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901044Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:39.892{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB70349C0E0F9FE3A5D427387FE35450,SHA256=3AC5DB2E46278081E2901DFD0524EFDE3582EBD23D1243268AC3830E7AEF8B4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:40.595{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D335B938FCBBF310689E2F36DE92A702,SHA256=250329B1E054B5255713E0C2D0B4B909C8DA193198ACD3E54D35004A100AE927,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901045Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:40.923{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F99D3333277079025880A2A5624B13D,SHA256=4082CAA667392E75A3B8218534930A1B42DD15D1F18456BA1019941E9B2DBD71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:41.970{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB579B83B3E6CE70554F50714B9607AC,SHA256=C57856374A22C82E8EC7475F459AD7B0E5FB5CDD2D1C425258E5A7C05D420FC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007996306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:41.548{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:41.548{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:41.548{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:41.548{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:41.548{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:41.548{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:41.548{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:41.548{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:41.548{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:41.548{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:41.548{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:41.548{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:41.548{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:41.548{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:41.548{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:41.548{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:41.548{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:41.548{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:41.548{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:41.548{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:41.548{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:41.548{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:41.548{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:41.548{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:41.548{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:41.548{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:41.548{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:41.548{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015901046Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:41.985{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9A6B576281AA81B251BA01D7C93EED3,SHA256=EE133BC941F59832046872A75196774395490EB6813D540DCEB7C81459ECF68E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:42.657{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68DB888BFFFB754BD57D93C2C6CFDFC7,SHA256=017DBF2AC34E5E95DF4160672B76D958040E1476FAEBC981E73B8F653350C148,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007996308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:42.470{3BF36828-DD0D-60DD-1200-00000000C801}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=93D050A32CB1E5068E2165051CADE484,SHA256=A41C148E3AB8E5A8471F581FB4D3E0B190D6B91C8F008BCBA292507DB056244A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015901061Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:42.892{B81B27B7-EAE2-60DD-782A-00000000C701}54205296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901060Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:42.751{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EAE2-60DD-782A-00000000C701}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901059Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:42.751{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901058Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:42.751{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901057Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:42.751{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901056Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:42.751{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901055Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:42.751{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901054Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:42.751{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901053Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:42.751{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901052Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:42.751{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901051Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:42.751{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901050Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:42.751{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-EAE2-60DD-782A-00000000C701}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901049Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:42.751{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EAE2-60DD-782A-00000000C701}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901048Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:42.752{B81B27B7-EAE2-60DD-782A-00000000C701}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000015901047Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:40.544{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52076-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007996311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:43.345{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C151BCA9132AAC3C5761630005592CD,SHA256=7DF6ACFC05A5F339F1C7842D6F085C68A399C945E42FE192BB5DB8EE01062D98,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007996310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:41.272{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62359-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901077Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:43.876{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2E20C1D7B40C28F71006FFFEEE28B84,SHA256=FC948DF9AD7993C63EF68DD30A11BC27F41EFA20D690BF6CAB978ECB0EFE4E4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901076Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:43.876{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BE7E1A85A0A5FB6756448EB82C3D177,SHA256=7309CA008733B96F9A5852B979D2562BDA387AE8C4FA88B349C97653A99F0924,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015901075Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:43.423{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EAE3-60DD-792A-00000000C701}228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901074Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:43.423{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901073Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:43.423{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901072Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:43.423{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901071Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:43.423{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901070Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:43.423{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901069Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:43.423{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901068Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:43.423{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901067Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:43.423{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901066Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:43.423{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901065Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:43.423{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-EAE3-60DD-792A-00000000C701}228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901064Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:43.423{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EAE3-60DD-792A-00000000C701}228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901063Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:43.424{B81B27B7-EAE3-60DD-792A-00000000C701}228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901062Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:43.001{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BF3D7C3CC5D5729CF798F0D065BD24C,SHA256=547010560687DECE63568FE63D44C367D367466D689F5A2581825D56601C9A1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:44.720{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86DB1C89C446FD19CDE8133EE694EBF,SHA256=88B623E5380AD54B282DE2A155A5818CBD0E477ACC63444C9575269CBB3DB029,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015901091Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:44.095{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EAE4-60DD-7A2A-00000000C701}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901090Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:44.095{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901089Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:44.095{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901088Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:44.095{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901087Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:44.095{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901086Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:44.095{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901085Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:44.095{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901084Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:44.095{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901083Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:44.095{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901082Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:44.095{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901081Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:44.095{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-EAE4-60DD-7A2A-00000000C701}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901080Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:44.095{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EAE4-60DD-7A2A-00000000C701}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901079Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:44.096{B81B27B7-EAE4-60DD-7A2A-00000000C701}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901078Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:44.017{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BEA9580138DEEE0A35A0974F1CF787D,SHA256=2F3FB351196E002BEBEF353453E741B8BB23B1A983D7505F41D709E864AA379B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901093Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:45.095{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2E20C1D7B40C28F71006FFFEEE28B84,SHA256=FC948DF9AD7993C63EF68DD30A11BC27F41EFA20D690BF6CAB978ECB0EFE4E4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901092Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:45.048{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F80506BD1EA86C4C31F753521B77A497,SHA256=53BF7EA8EA141B2918692D199E7DF64246359AF8A180CC82FBC72FE7E62D596D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:46.126{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E609C65752E6BFBEE0160B4378AD240,SHA256=8EC222A431BB4492C71BC130B8CB4B7BC0062EC21ECE8DC673D1A841AC63BEF5,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000015901095Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:18:46.110{B81B27B7-880A-60DC-1100-00000000C701}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d76e94-0xc477a890) 23542300x800000000000000015901094Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:46.064{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E527B70F495BD4DDE8F8B57BAF1226A1,SHA256=41BD50408DC25A5FC2E4ACB91E6ED0DE397039864CE7BC0B1597769F6F3DCA41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:47.485{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A288B43B2791C96AEBB5118E0E2E1A9A,SHA256=5998CFEFB62D6B0D467D7E0260B9206FD728D082D709E2A4911057B044B03D35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015901120Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:47.595{B81B27B7-EAE7-60DD-7B2A-00000000C701}36205576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901119Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:47.439{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EAE7-60DD-7B2A-00000000C701}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901118Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:47.439{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901117Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:47.439{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901116Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:47.439{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901115Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:47.439{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901114Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:47.439{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901113Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:47.439{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901112Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:47.439{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901111Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:47.439{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901110Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:47.439{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901109Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:47.439{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-EAE7-60DD-7B2A-00000000C701}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901108Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:47.439{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EAE7-60DD-7B2A-00000000C701}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901107Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:47.439{B81B27B7-EAE7-60DD-7B2A-00000000C701}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000015901106Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:18:47.423{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000015901105Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:18:47.423{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x056a40ad) 13241300x800000000000000015901104Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:18:47.423{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d76e8c-0x63329607) 13241300x800000000000000015901103Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:18:47.423{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d76e94-0xc4f6fe07) 13241300x800000000000000015901102Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:18:47.423{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d76e9d-0x26bb6607) 13241300x800000000000000015901101Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:18:47.423{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000015901100Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:18:47.423{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x056a40ad) 13241300x800000000000000015901099Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:18:47.423{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d76e8c-0x63329607) 13241300x800000000000000015901098Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:18:47.423{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d76e94-0xc4f6fe07) 13241300x800000000000000015901097Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:18:47.423{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d76e9d-0x26bb6607) 23542300x800000000000000015901096Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:47.095{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB7A59A1FB3744D48C92BF0D39BB6B65,SHA256=9E079E8214E555F2110289837E60A351875893315A79FCAA4CA1B41395A24059,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:48.850{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F2EF5AFA8DCA1CE909947B3B302D088,SHA256=802918D4B959AE3F5153BEC624D2026ECEF4E41C3F42CD76E48716206DF2E374,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015901150Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:48.787{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EAE8-60DD-7D2A-00000000C701}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901149Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:48.787{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901148Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:48.787{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901147Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:48.787{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901146Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:48.787{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901145Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:48.787{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901144Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:48.787{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901143Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:48.787{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901142Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:48.787{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901141Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:48.787{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901140Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:48.787{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-EAE8-60DD-7D2A-00000000C701}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901139Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:48.787{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EAE8-60DD-7D2A-00000000C701}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901138Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:48.788{B81B27B7-EAE8-60DD-7D2A-00000000C701}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000015901137Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:46.544{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52077-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901136Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:48.662{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F523E17246BBFAA8C6D03F9277623F67,SHA256=97A616AC509E8995B4192A81B297855C348AC13DF51964803CD81A50475D83FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015901135Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:48.256{B81B27B7-EAE8-60DD-7C2A-00000000C701}4043360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015901134Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:48.162{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27A1E4030E0B24A8575B056B517F59D3,SHA256=B7A8195642CF3B2D97E1D44EDE79173E8C82DA256C50CF774C163D6A2AE1835C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015901133Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:48.116{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EAE8-60DD-7C2A-00000000C701}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901132Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:48.116{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901131Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:48.116{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901130Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:48.116{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901129Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:48.116{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901128Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:48.116{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901127Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:48.116{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901126Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:48.116{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901125Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:48.116{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901124Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:48.116{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901123Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:48.116{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-EAE8-60DD-7C2A-00000000C701}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901122Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:48.116{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EAE8-60DD-7C2A-00000000C701}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901121Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:48.116{B81B27B7-EAE8-60DD-7C2A-00000000C701}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901166Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:49.803{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1DB5A8AD5C77E25B030BD2B12F36848,SHA256=ED8EC498D7B1C237CA429350BC2E67B6C9233715AF9989BA84A32266564067AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015901165Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:49.553{B81B27B7-EAE9-60DD-7E2A-00000000C701}50284544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901164Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:49.412{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EAE9-60DD-7E2A-00000000C701}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901163Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:49.412{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901162Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:49.412{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901161Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:49.412{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901160Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:49.412{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901159Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:49.412{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901158Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:49.412{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901157Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:49.412{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901156Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:49.412{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901155Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:49.412{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901154Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:49.412{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-EAE9-60DD-7E2A-00000000C701}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901153Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:49.412{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EAE9-60DD-7E2A-00000000C701}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901152Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:49.414{B81B27B7-EAE9-60DD-7E2A-00000000C701}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901151Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:49.256{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CDC3F488DF00D00906C3B42B0DB1E81,SHA256=AEBECD6BAF586FEE122AB84C8E587652A371AA0330CBF36549DB1BA002B856C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007996317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:47.324{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62360-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007996316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:50.209{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF0EDE7751B9936BB3CB23B5EC4A5A17,SHA256=9FF57C362CFEC185489906856C98FDB7AE5465857B50ACAA96E23828B49EA4FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901167Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:50.272{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=405D0333BD7E91FD552BD604C8E0D37A,SHA256=2FB223DFA28B66CA8AE982801F4FE69A8C798D83446A13C5BDF43AC282E0BA51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:51.584{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7037628EE94B1D2E7982C18B14F037F9,SHA256=24A56752B09355DB7FA914E1006A42519E515387902A8F0EFBF9E8011664E16C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007996318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:51.584{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=934C8645B41CACB67FC5C4467A36CC36,SHA256=470E3FDB31F4B26F256D224FE60844CB8891216CF3315F2D75DC819311A67367,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901168Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:51.287{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=706BB6C05FFDF737353B2032705561DB,SHA256=02C09C35678C5AF692C6B2F2964E6C149786A4FA5AF295F717B701CD5642E441,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:52.943{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BFCFF4FADB10980B0D3B83CDE2589B2,SHA256=B912E155AD43478410BAB1DEB9EDFA6AEBE9438EEDA9D2E169366A22543E4AEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901169Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:52.334{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A2A093D56FC02BC7AFA5906E40F8FF9,SHA256=0095E224285C7A1DE65C4ED10FEDA556B89378ABACD8964BBC7921207F0ECDD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901170Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:53.381{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0471D6C9022B03FA6EA8A4E1240C2C1,SHA256=993304142EE712F4D6F5650C3A38B00264B0D4AA5B613B6CBDFFE3724E1F8113,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:54.303{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35873648EC944816B1AB0C6D04478B4E,SHA256=494029A8FADD5546FF1D6E362CA902E7418D2A1988D491BCA1151E8EC74C36C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015901172Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:52.549{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52078-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901171Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:54.412{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73566C88A2EF20311C25E79B6E4D9DB2,SHA256=AE46411840C222FA021206CD24854ACE27C48A3900F7570E9701AF081606D207,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:55.678{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85277EB0F3C63B76ABE23B9B543522FC,SHA256=E37C9EBF568BBF47EF343FB62D9896E19EA915056558A9480F68628A427B0933,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007996322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:52.339{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62361-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901174Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:55.444{B81B27B7-880A-60DC-1000-00000000C701}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=537F156ACDF30DCAAF55C491A9950C46,SHA256=1F9F1926F57EADDB878C78B65B1DF6E1FA08426194183813AB02115BF43C4E7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901173Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:55.428{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1B818B73E994FE7FBFE083D78DF322B,SHA256=97C2FB702E8FF55B1DE422965CB3FFF0F9012CC077F8C122562B62CC7548F49D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901175Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:56.444{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8581BFF7ACF0329042AA908BFA257E12,SHA256=C14E2D1F38F8B065B58438434203460F6CF0D2D59077D08BDD13AA6A352E64C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:57.037{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F8B97079F90291028493303C9EFDB4,SHA256=9E8D7347061051F6652BA91A355D4D621FB70127198E2469BEB0B231F1B91FB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901176Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:57.459{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99E4BFC20EDD8D856B6EF5081687E35B,SHA256=138D3F72204DC8A9CC92C4BE91000570641CCBCD89E86FC165844072601D5B9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:58.411{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A456575201A74AED0186D638D96B4B5A,SHA256=2C83FFD3ECACCD0869CCE881C28C7B0F3D2011E8E1D8AB00FB937DA0C5B02E00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901177Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:58.475{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8CF9DB9A2F53AE500C4E0E565F38C1D,SHA256=E5151642B88B2BC97870D707B7FA173E3DB74FB277C532D27C2D8F13283682C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007996328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:59.914{3BF36828-DD0D-60DD-0D00-00000000C801}9241944C:\Windows\system32\svchost.exe{3BF36828-DD0C-60DD-0C00-00000000C801}864C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:59.914{3BF36828-DD0D-60DD-0D00-00000000C801}9241944C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2B00-00000000C801}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007996326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:59.773{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFBDC5C8EEA44E70C183F0E2F7A71F46,SHA256=C9C87D5B07C6019748BE32BED407FFE190F4FF6A20A00F1D9FCE7F4A379CFA41,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015901209Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:57.565{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52079-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000015901208Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:59.537{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1100-00000000C701}988C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901207Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:59.537{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1100-00000000C701}988C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901206Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:59.537{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901205Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:59.537{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901204Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:59.537{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901203Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:59.537{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901202Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:59.537{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901201Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:59.537{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901200Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:59.537{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015901199Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:59.537{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41439849169A2422B3833BABE85502CB,SHA256=E570E546C5AF7B13C8335A0D0300774B89884B435D8C391DB7F219610C963992,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015901198Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:59.537{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901197Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:59.537{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901196Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:59.537{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901195Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:59.537{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901194Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:59.537{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901193Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:59.537{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901192Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:59.537{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901191Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:59.537{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901190Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:59.537{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901189Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:59.537{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901188Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:59.537{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901187Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:59.537{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901186Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:59.537{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901185Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:59.537{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901184Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:59.537{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901183Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:59.537{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901182Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:59.537{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901181Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:59.537{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901180Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:59.537{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901179Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:59.537{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901178Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:18:59.537{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007996330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:18:58.291{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62362-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007996329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:00.445{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E5A97B547CEDCE75ABF0879838F8E59,SHA256=D6006F0366826D0707F84FF411C8A55C3105B308BBB049DCDBC555D29D184BCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901210Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:00.756{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2170B7CDB27454CCF307930F47659024,SHA256=247F5FD05B6FA2D51D92C15B41D96A030755FFBDA575C1AEA98FCB450289475E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:01.133{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=382497D3396D894CA794A3F132C9EB48,SHA256=6F0408AF43BE7D33EC71DA4C350FDD474814BF2512E21DE28E0DA471CA1A4FD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901211Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:01.772{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E39F76FB87C99A13DAEE44470A39D928,SHA256=B73D7B2FFE649BC8F785389A8135321FE151A46DDEC73AB2427A9ECD4EC8B41F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901212Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:02.803{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18B259B7B56391CBCFD2C068D78A4E75,SHA256=EBC76EB6156DE93C710987A21276BD6CF3A7413C74A107F55C374F07DBFEF6C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:03.836{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=584821258D678E12FC49236C20916AE2,SHA256=3B6E3577FDDE11F70FFA5AE1F3D2B14AC00CBEA177C0C4BDF40C1B38D3334DFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901213Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:03.819{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0CBCE3A2856CBEA30EE4DE89D118472,SHA256=CD76413C2417BAB552EB9EEADFA7B25023FBA1285C7348BE2C7DB56B6027F8A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901214Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:04.820{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2DC52DDEF1D645D0951CC43059F73BC,SHA256=A1A9A149079AD4CB8E6424D48F6360C6FAFC7EDFB9E684FD2537E918D9ECFA5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:05.211{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3E0CA3A305A1CCAEECF97EDE7FFC64A,SHA256=61B7899F2E6579EDC39AF78A2EA81C9162EDDC9D8755984C02CE9A5B189E0FBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901215Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:05.832{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72D86E36CBC74EA98734136D55DA54A0,SHA256=5851385C6C8CD6CCC573F640491DD2EE0EA108AA867C3F13A1EC0B4403D41215,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:06.586{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B4CFEDFF2200056EAE4682250487315,SHA256=AAA1F0E40D0F9223F057075A13043B37F52987092EB53DB836C35D1B06FE82B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901217Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:06.834{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05AAF55DE5B089B49A88116A7B60039E,SHA256=E0474282FC620C4BFA4E8BD16F269F8F0D364A5AA99DC4242E57876441330428,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901216Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:03.346{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52080-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007996336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:07.947{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EE1DA66E4D0850429081F0AC8C43EBB,SHA256=A1F3EDBAE4FB7F9C9D9C73E411841B4A734FA59D48CE31795409576BE954215C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007996335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:03.388{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62363-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901218Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:07.854{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5732FDA00805872217B26DDF4171A9E6,SHA256=0BB36BE9EA8B60DAE9D803B7103A791E12E06A30517ECFCF84037267D75EC385,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901219Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:08.870{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94A898F638C715768DC910AE0B5A9EF4,SHA256=4666ADF736288BEB83206AA62BA67E9783B8DB03DFE741948F41B16F32EB8F45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:09.322{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CDD6B98A2A26B15028D68128AF1E6C5,SHA256=072C72C51ACF4BA7B4521B6F93D504145326AA7B511476A074817D3AB946EF9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901220Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:09.886{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F59C009CE788744C94128DDA0FD0B01,SHA256=95258900C39A2572DD6ABB6431BC378AEAABBC92D041F48115CAC379B45ECF5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:10.682{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02CB8B54CE4BFEFE2B7D5D9E800C20E8,SHA256=51D1D0FA07CF82746A9DD0FC9545114735DDD63AC0196404A841343FA2C1118F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901221Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:10.901{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4D16EBC9982131E895496703BE06A00,SHA256=0D3EA3D0BC0174567F70F88762051DDC83B53C4DE7E55F6E864520E391DDC8D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:11.369{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BDCC3D48A55CECE1913FC29D415B7A2,SHA256=0C96154732E5A2C15A5872FEA8B69E8D07847E50318D495A4D13D4AEE95D24B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901223Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:11.964{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69849A06C6E707EE03677AA4BE72AC55,SHA256=88C85D077F2D87A81E1CE17EE1BCB40EA4E9C62D9BEFC57D3215B22D4FED3D85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901222Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:08.413{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52081-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007996340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:12.057{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E79AF1E0776B7967D1C08A8B67B5D528,SHA256=460C8C83FECBA7CEDA46F9F9B3BBCC1FF20CF38CFD65C5DE40D97213440BAD48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901224Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:12.964{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=176BAEA456F8BAE7FE90E9BD739C4682,SHA256=E6EC430CECE68216F9FFB3711EA339341631830872FC96E350971DB0DC5980B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:13.416{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0161CBC732B9ADAB93FB2029A0130F87,SHA256=2B393A2F1FC3B52824857B6EDDA31B976C7995C56B75868C92886824DAE4F6C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007996343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:10.844{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62365-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007996342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:10.844{3BF36828-DD1D-60DD-2F00-00000000C801}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local62365-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007996341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:09.328{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62364-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901225Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:13.995{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=730A0F344B3F0550489E9A11CF787851,SHA256=7062AFBAAC9904C3E965437EAABF70638DC3CE217CCD80D353C3FF67BC9387C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:14.791{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=446237289D497F22B121866400580E71,SHA256=C51BCE2BC4DDB6702CA234F93F271E1C3F6B8526EFF7026C610F6890F7B28F0D,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007996345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:14.775{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 354300x800000000000000015901227Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:13.476{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52082-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901226Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:15.011{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=476BFE4A4BDC35C3385BF32E2DBA0CE7,SHA256=D3872B9378E026D36D795CD077C0AFA70C2663644EC2090B12FDAA93DFB267BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:16.150{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431273673C69BEF3417E104CDAC9224B,SHA256=2B19D48B44807F54FEE2B3BCEA16432D4A0940B1CE343216F9ADD15382A16CDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901228Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:16.026{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10483706960DB0198804C6306CAE2D6,SHA256=8B5CA7E8D5E29DE25AFEB979D6B98B8944C52C1EEAB25EEE551FCEEB209ACB2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:17.525{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=598E24FAA9299778CC35B0318C6A5D19,SHA256=8F2F3CED452A0C7F776511215091D62EEDDAD6609FF08535106EBD2811A01765,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007996351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:17.510{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:17.510{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007996349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:17.510{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 354300x80000000000000007996348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:14.437{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62366-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901229Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:17.042{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F5742C3E94DFC7AFB502298B8AC80D,SHA256=C8B010D1C4D8AE23B79767FDD912A10602997DA0A83DBF6CB1F960500E636E76,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007996452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.916{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007996451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.916{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007996450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.916{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007996449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.916{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007996448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.916{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007996447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.916{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007996446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.916{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007996445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.916{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007996444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.916{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007996443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007996442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007996441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007996440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007996439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007996438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007996437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007996436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007996435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007996434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007996433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007996432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007996431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007996430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007996429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007996428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007996427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007996426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 23542300x80000000000000007996425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B5724F771E36035A9305D0593052C4E,SHA256=16C2771DCABB282CE735B3B7850EF2C3C6CA660FFA71D8926A99EEAF92F0492F,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007996424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007996423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007996422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007996421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007996420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007996419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007996418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007996417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007996416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007996415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007996414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007996413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007996412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007996411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x80000000000000007996410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007996405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.900{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007996404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.903{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007996403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.338{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007996402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.338{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007996401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.338{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007996400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.228{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007996399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.228{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007996398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.228{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007996397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.228{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007996396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.228{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007996395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.228{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007996394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.228{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007996393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.228{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007996392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007996391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007996390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007996389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007996388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007996387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007996386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007996385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007996384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007996383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007996382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007996381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007996380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007996379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007996378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007996377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007996376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007996375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007996374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007996373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007996372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007996371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007996370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007996369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007996368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007996367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007996366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000007996365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007996364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007996363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007996362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007996361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007996360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007996359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x80000000000000007996358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007996354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.213{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007996353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:18.215{3BF36828-EB06-60DD-5502-00000000C801}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901230Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:18.057{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34445D130D8CBC310E35E5220E687AFE,SHA256=27C46E7A4491E58B4C760115743587B0E2F781F121417180D0C73829E10DF2C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007996455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:19.025{3BF36828-EB06-60DD-5602-00000000C801}41643920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007996454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:19.025{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007996453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:19.025{3BF36828-EB06-60DD-5602-00000000C801}4164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000015901231Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:19.073{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AB3E458223EFE7D22D0E9BB4B445206,SHA256=396955E7D25A271D5E7D75352D3D3CA2ACEA68B913F8BCAA045CD06620AC4336,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:20.947{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAFBD1E61022F48594EBAB96D14C0E13,SHA256=5D731E190A27283D199EC65083E6A5B941AA913754828B5982B34FFD014517D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007996456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:20.275{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CA33513D4A7568EF7ABD103022CBCF2,SHA256=4D6C09BC4317EF997FEC78F4FD9E8785440FBD5A33B13DD503C0F6B6600AAD53,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015901233Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:18.507{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52083-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901232Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:20.073{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDF3ABF8023E4EF218887AB558469133,SHA256=A5C9D23B4229AFA1DBBC34FD280D8AFEF9AA3451134AF3F92791C3460B54E0F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:21.697{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9204278F937A095849C178868C5424ED,SHA256=406363566BD3A0792D13675B074E338D3D61BE1DD12EF1BDBEA4E1F5DF4958FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007996458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:21.181{3BF36828-DD1D-60DD-3000-00000000C801}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901234Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:21.104{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDABD4487A42D8AC4E6280600423DCAC,SHA256=E17B96236A54777E7EED09E6E76340E3164F9B5C493AE2159637096CE49DD748,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901235Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:22.136{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E3B2498FEC04D85EFDF4CB45B4808CD,SHA256=952D31094BB27E76BA3E6CC617B0A14F2303B4192B081225AAAF4C6D5026A954,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007996462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:20.359{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62368-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x80000000000000007996461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:20.265{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62367-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007996460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:23.119{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9164A013DABEB842EC99AB1D1F4D177,SHA256=E7876ABDFDBEFCEE418F02816F81CBD34821C0D5440399B4C38E4FBCD28143E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901236Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:23.151{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D01756429EA064F3F2BEC19DCFE725,SHA256=133376D8550B8B41533CC16B83395F433DF728FEBB1BFFB3F12553D5D1336984,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:24.478{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C049FC912FF05E55053BEE9787512B,SHA256=83A676662A8AB82331AF05F83CBDE2A6B7D6EE959173BF451140A9766F4A0D98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901237Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:24.182{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA2AAC1D38FFEC282D62D36B0573E12F,SHA256=08CADF3F9CEF3656F2D9BE4DA466B4134F4D7DADBE5DA89D78AA7F04BE79307A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007996515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.978{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007996514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.978{3BF36828-EB0D-60DD-5702-00000000C801}50164248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007996513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.978{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007996512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.978{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007996511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.869{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007996510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.869{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007996509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.869{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007996508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.869{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007996507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.869{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007996506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.869{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007996505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.869{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007996504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.869{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007996503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007996502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007996501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007996500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007996499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007996498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007996497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007996496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007996495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007996494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007996493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007996492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007996491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007996490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007996489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007996488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007996487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007996486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007996485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007996484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007996483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007996482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007996481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007996480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007996479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007996478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007996477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007996476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007996475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007996474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007996473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007996472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007996471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007996469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4813052DFC36BA81C322B29FC1B1A192,SHA256=EEB2AAF2E10A4890614A0484A369F8C008A14FB901580C83A92DF24B2DFEA253,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007996468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007996465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.853{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007996464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.856{3BF36828-EB0D-60DD-5702-00000000C801}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000015901239Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:23.523{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52084-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901238Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:25.214{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11EFE12DCC74183573451A61F5F2D388,SHA256=344347279FCCF5B6A6F0AAEED12D4AE7C70768804DB2E80E3F4448EE6044631E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007996566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.650{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007996565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.650{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007996564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.650{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007996563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.541{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007996562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.541{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007996561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.541{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007996560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.541{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007996559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.541{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007996558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.541{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007996557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.541{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007996556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007996555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007996554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007996553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007996552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007996551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000007996550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007996549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007996548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007996547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007996546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007996545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007996544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007996543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007996542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007996541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007996540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007996539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007996538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007996537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007996536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007996535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007996534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007996533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007996532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007996531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007996530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007996529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007996528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007996527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007996526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007996525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007996524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007996523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x80000000000000007996522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007996517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.525{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007996516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:26.527{3BF36828-EB0E-60DD-5802-00000000C801}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901240Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:26.214{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFCAFEAE5738A3E4CDF418251BD6E19B,SHA256=4DEC3BF3F7B9D452FE046CBB30199FF766CA85F2D6A4C778DC0A007E0C032532,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007996668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.919{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007996667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.919{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007996666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.919{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007996665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.919{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007996664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.919{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007996663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.919{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007996662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.919{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007996661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.919{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007996660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007996659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007996658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007996657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 23542300x80000000000000007996656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F8843A1446F313404D5359FA553A70,SHA256=FE4FB8E6BE0DF4151D52D869C04D6A39FE1DA223A7B601A0E38C7BD7A89420E9,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007996655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007996654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007996653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007996652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007996651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007996650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007996649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007996648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007996647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007996646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007996645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007996644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007996643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007996642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007996641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007996640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007996639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007996638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007996637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007996636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007996635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007996634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007996633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007996632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007996631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007996630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007996629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007996628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007996627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x80000000000000007996626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007996621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.904{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007996620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.905{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007996619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:25.359{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62369-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000007996618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.337{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007996617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.337{3BF36828-EB0F-60DD-5902-00000000C801}37164380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007996616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.337{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007996615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.337{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007996614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.228{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007996613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.228{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007996612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.228{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007996611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.228{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007996610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.228{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007996609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.228{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007996608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.228{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007996607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.228{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x80000000000000007996606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC5CB0D94BDB326015AD98813177AB43,SHA256=05CEB909CE9660CEA0E4A990324561BE11AAE15FD90EC721F1048AD1757B0D93,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007996605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007996604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007996603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007996602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007996601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007996600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007996599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007996598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007996597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007996596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007996595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007996594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007996593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007996592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007996591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007996590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007996589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007996588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007996587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007996586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007996585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007996584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007996583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007996582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007996581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007996580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007996579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007996578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007996577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007996576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007996575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007996574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007996573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007996568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.213{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007996567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:27.215{3BF36828-EB0F-60DD-5902-00000000C801}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901241Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:27.229{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2808A64978812D015B1A541DF7E312D0,SHA256=4D88BAE0CAB0E8435DC5B2DBE7CE11A18B7852D19739BA002D447FDCC877C0CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007996728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.701{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007996727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.701{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007996726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.701{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007996725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.591{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007996724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.591{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007996723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.591{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007996722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.591{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007996721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.591{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007996720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.591{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007996719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.591{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007996718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.591{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007996717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007996716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007996715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007996714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007996713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007996712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007996711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007996710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007996709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007996708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007996707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007996706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007996705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007996704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007996703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007996702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007996701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007996700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007996699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007996698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007996697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 23542300x80000000000000007996696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D12D24CA0578E001999EC4BD14CE142,SHA256=8CBB3CF9E528272CAEA5B2BDEA08EE428306E04127CCC43ECAC3659502AE97DB,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007996695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007996694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007996693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007996692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007996691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007996690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007996689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007996688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007996687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007996686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007996685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x80000000000000007996684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007996683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007996682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007996681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007996680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x80000000000000007996679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007996674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.576{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007996673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.578{3BF36828-EB10-60DD-5B02-00000000C801}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007996672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.029{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007996671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.029{3BF36828-EB0F-60DD-5A02-00000000C801}7041040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007996670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.029{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007996669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:28.029{3BF36828-EB0F-60DD-5A02-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000015901243Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:28.717{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901242Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:28.233{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F772F909E008FC5DDADB2D6035016A0,SHA256=B81825A0351BFA3E299C29F3C47B3A6A6E4F324C596312354C031C1BCF958EC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:29.263{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CA590DDAB18C90FDD1B6CB51B995E15,SHA256=E80CA238616ABCAEBF771DC00A458D2191A79DE00B3880D8597CCC9209026CAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015901245Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:28.011{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52085-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015901244Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:29.248{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC15AEEB8D42FA7A51250CB2D415407,SHA256=A7F8B304A173BB8152B5C1D41AABCFF9CDE5C07D03CE1AEDE6147CF9C85AEE54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:30.013{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D1299B8ABC8F20866EF7982A129FF55,SHA256=D54FB0EEE795BD680033A7C8FB1A30A5C3E5A3E7BE0BC8F691F38C6CC71C63A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901246Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:30.264{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D69F569BA2FB4E643E291468E8A266,SHA256=1BFD481D95B866263CCCC7F7857FA8AC3383064CE8E5DC882C8CFEB06A3BDF06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:31.497{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5ED9BB935E6CD0FF32BD690A9851E61,SHA256=29E13746A4971A8B294C25B0419E0FBF80C35F5A71E2A1A028498123310DDF6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007996731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:31.497{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057276AF08435CCF78F52AC171351F73,SHA256=9B422CDADE62DF20AFBA67D0B680F6B98B87B599667A413BA9317A2D669D4E47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901247Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:31.280{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02BED83A77050B1A0125ECBAF7FD3740,SHA256=126D25D2D705C676F6E820BD8FF86F87BEA87D5193C111640F1A2FA7E8DFCC07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901249Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:32.295{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB4FEF2EF16E0FDFF8F4951F849F474F,SHA256=720DF649BBBD60480B89E37C77185204D061B136CF8EE39111DE91017CE3F974,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901248Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:29.354{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52086-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007996733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:31.237{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62370-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901250Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:33.326{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8615243BFB74563866C803991B57BC68,SHA256=D96F6B5945A6F76F3165787E445EB092F3D5CFB4BBDBB14C300B8C969B8E3763,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:34.247{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55D607A97C90D86F6831F8DF3174FE08,SHA256=ABAC7DFFED1196AD7734F2BFA37AE8DEA8C513E9A5D7BDB97CC5FD30D4E68B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901251Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:34.389{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE531F81825C8B5FAD8EBBD966F72E7,SHA256=AB0705E6D792C08A751282C23162F710C79A87ECBD569BD124F7841D39D8C09A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:35.935{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D88464E813B6517864257B32FFA7E834,SHA256=1CAEC5E529A8AB547245A4C3C61E5C30FEBE26DDDDED1D9499A9CEC6034BF193,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000015901253Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:19:35.905{B81B27B7-880A-60DC-1100-00000000C701}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d76e94-0xe225a3b7) 23542300x800000000000000015901252Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:35.405{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DFFE5DAA2DA4FA0D5E77710DEBE9B75,SHA256=D72C710CCB94584E3E902FDA6B17BC7121CBABF10325C45FC8E6B8C853DAE2CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901257Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:36.905{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF2910EA8D58349861C5A56565D83898,SHA256=D510A499A6278CD9FE3C74F00073DA298A30B5D901DAA8855591D95391853E67,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901256Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:36.905{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=878F72627FF74B09CCB03DF40929CAFB,SHA256=684D4370A9279BE0FC110F9DB0576A3F163F91CBAFC98B787397103CE0928E38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901255Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:36.436{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=223414E178298A775DD17CB660DD3B14,SHA256=7409EE72BDECE24D70926C2E065E07EBF194B4D6A1AF660BE11EAB506201353D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901254Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:34.370{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52087-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007996736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:37.357{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E783E16A259C840BCB97B75397AD3A49,SHA256=3FB1270A717ACC04B9A09C2CA08DDADDFE964B2697D8DF75EDC5172317E99969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901260Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:37.498{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04C9A6BFAB48022F1FC202300C185DC1,SHA256=1B3DF6FB65EB3E0C3486BD7C8679B9096BF1272D3936209C6BEF8A0D36194C2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901259Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:35.197{B81B27B7-880A-60DC-1100-00000000C701}988C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-987.attackrange.local123ntpfalse168.61.215.74-123ntp 354300x800000000000000015901258Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:35.197{B81B27B7-880A-60DC-1100-00000000C701}988C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-987.attackrange.local123ntpfalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal123ntp 23542300x80000000000000007996738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:38.716{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A53D5BF46BDC279758E2B75241609266,SHA256=F182C542A604636A8E060F444D12771CBB4FFB96F40CE92D261A9D013C0A67EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007996737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:35.127{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-128.attackrange.local123ntpfalse10.0.1.15WIN-HOST-987123ntp 23542300x800000000000000015901261Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:38.514{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7988E54E31AF4F4B6A20BACB1B97761F,SHA256=8D8ADC745EAA35BAF8A6B97225F793294DBDC82EE446ADC6407B3CEBA9DC1861,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007996739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:36.346{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62371-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901262Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:39.530{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A9AE52382BAF0376EBFFF40893D9A4A,SHA256=C2016A8AD0F6299077F471EC7EDC284AC5DCA3F9BA15F9CECBD64B9102E2C3D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007996741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:40.700{3BF36828-DD0B-60DD-0B00-00000000C801}6521204C:\Windows\system32\lsass.exe{3BF36828-DCF0-60DD-0100-00000000C801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000007996740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:40.091{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5BF3B89509E29D4CD0F823FE72518AF,SHA256=F72641138E6ADA1C97F9AF829918157371DDA03FFA420F4856567C90944BE48D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901263Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:40.545{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF532E622129087515BEBD966745289,SHA256=AB18031DBC55D99B714CD8D683FCAC163576DE814C17ECA940FAD42E1A4CCE0D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007996744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:39.894{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62372-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x80000000000000007996743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:39.894{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local62372-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 23542300x80000000000000007996742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:41.450{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C8C3B27FE35F0B61A3FEB2A3675BF16,SHA256=6BE293AA62F17C025649FF3BF401D98CCF15485C2A6CBE343D6F19B2E3445A28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901265Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:41.576{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD1FC93E2550ADEEEEB6CA4855D8C1F6,SHA256=D00A48653DE65B34B8C5E2A20DAAEC99261F8167422691564E665733DD9CBCD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901264Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:39.417{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52088-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007996761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:42.825{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=491108C7C3CFFE6E4AC4D1AE0AE0FA75,SHA256=428C773D49893E1604742025B4119F260E4BE93E14A463D32EFD81CFB3D2FC77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007996760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:42.825{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9E66C917BD7A05389884654BB7E43D1,SHA256=4D6AAF9B148306CEB33348FCD4437BFE4D17F24DC9321C5D0A32DCBA3320042E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007996759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:42.481{3BF36828-DD0D-60DD-1200-00000000C801}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C37E699DD86449CFBE81E51322A84F35,SHA256=FC514AC0808E9288DBA9C83D9DF04B8C74441FD2F0B8263F5E90394F1B3C11F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007996758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:42.200{3BF36828-DD0D-60DD-0F00-00000000C801}344716C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:42.200{3BF36828-DD0D-60DD-0F00-00000000C801}344716C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000007996756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:19:42.169{3BF36828-DD0D-60DD-1200-00000000C801}396C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{78dd5cd2-de19-4232-9375-043e01bb7b4c}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x80000000000000007996755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:19:42.169{3BF36828-DD0D-60DD-1200-00000000C801}396C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{78dd5cd2-de19-4232-9375-043e01bb7b4c}\IsServerNapAwareDWORD (0x00000000) 13241300x80000000000000007996754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:19:42.169{3BF36828-DD0D-60DD-1200-00000000C801}396C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{78dd5cd2-de19-4232-9375-043e01bb7b4c}\AddressTypeDWORD (0x00000000) 13241300x80000000000000007996753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:19:42.169{3BF36828-DD0D-60DD-1200-00000000C801}396C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{78dd5cd2-de19-4232-9375-043e01bb7b4c}\LeaseTerminatesTimeDWORD (0x60ddf92e) 13241300x80000000000000007996752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:19:42.169{3BF36828-DD0D-60DD-1200-00000000C801}396C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{78dd5cd2-de19-4232-9375-043e01bb7b4c}\T2DWORD (0x60ddf76c) 13241300x80000000000000007996751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:19:42.169{3BF36828-DD0D-60DD-1200-00000000C801}396C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{78dd5cd2-de19-4232-9375-043e01bb7b4c}\T1DWORD (0x60ddf226) 13241300x80000000000000007996750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:19:42.169{3BF36828-DD0D-60DD-1200-00000000C801}396C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{78dd5cd2-de19-4232-9375-043e01bb7b4c}\LeaseObtainedTimeDWORD (0x60ddeb1e) 13241300x80000000000000007996749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:19:42.169{3BF36828-DD0D-60DD-1200-00000000C801}396C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{78dd5cd2-de19-4232-9375-043e01bb7b4c}\LeaseDWORD (0x00000e10) 13241300x80000000000000007996748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:19:42.169{3BF36828-DD0D-60DD-1200-00000000C801}396C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{78dd5cd2-de19-4232-9375-043e01bb7b4c}\DhcpServer10.0.1.1 13241300x80000000000000007996747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:19:42.169{3BF36828-DD0D-60DD-1200-00000000C801}396C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{78dd5cd2-de19-4232-9375-043e01bb7b4c}\DhcpSubnetMask255.255.255.0 13241300x80000000000000007996746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:19:42.169{3BF36828-DD0D-60DD-1200-00000000C801}396C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{78dd5cd2-de19-4232-9375-043e01bb7b4c}\DhcpIPAddress10.0.1.14 13241300x80000000000000007996745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:19:42.169{3BF36828-DD0D-60DD-1200-00000000C801}396C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{78dd5cd2-de19-4232-9375-043e01bb7b4c}\DhcpInterfaceOptionsBinary Data 10341000x800000000000000015901279Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:42.764{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EB1E-60DD-7F2A-00000000C701}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901278Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:42.764{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901277Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:42.764{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901276Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:42.764{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901275Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:42.764{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901274Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:42.764{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901273Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:42.764{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901272Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:42.764{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901271Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:42.764{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901270Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:42.764{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901269Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:42.764{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-EB1E-60DD-7F2A-00000000C701}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901268Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:42.764{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EB1E-60DD-7F2A-00000000C701}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901267Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:42.765{B81B27B7-EB1E-60DD-7F2A-00000000C701}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901266Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:42.592{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99445616FE8D4D91F19ADBFBE13106AD,SHA256=FC87EBBD72A37518885CABFF19C0CA307BC5CE4FCA3B6A9F04A3826A13E332BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015901306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:43.983{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EB1F-60DD-812A-00000000C701}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:43.983{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:43.983{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:43.983{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:43.983{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:43.983{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:43.983{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:43.983{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:43.983{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:43.983{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:43.983{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-EB1F-60DD-812A-00000000C701}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:43.983{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EB1F-60DD-812A-00000000C701}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:43.985{B81B27B7-EB1F-60DD-812A-00000000C701}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:43.983{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A90D069DB842922D251E6E2CAD1C1E5,SHA256=94E0F5A65FBCCA07D311F824C87B42339750E88E4E934EB012BD2778C921AF46,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015901292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:43.436{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EB1F-60DD-802A-00000000C701}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:43.436{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:43.436{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:43.436{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:43.436{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:43.436{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:43.436{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:43.436{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:43.436{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:43.436{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:43.436{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-EB1F-60DD-802A-00000000C701}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:43.436{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EB1F-60DD-802A-00000000C701}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:43.436{B81B27B7-EB1F-60DD-802A-00000000C701}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000007996779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:19:44.200{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{78DD5CD2-DE19-4232-9375-043E01BB7B4C}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000007996778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:19:44.200{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{78DD5CD2-DE19-4232-9375-043E01BB7B4C}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000007996777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:19:44.200{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{78DD5CD2-DE19-4232-9375-043E01BB7B4C}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000007996776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:19:44.200{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{78DD5CD2-DE19-4232-9375-043E01BB7B4C}\FlagsDWORD (0x00000002) 13241300x80000000000000007996775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:19:44.200{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{78DD5CD2-DE19-4232-9375-043E01BB7B4C}\TtlDWORD (0x000004b0) 13241300x80000000000000007996774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:19:44.200{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{78DD5CD2-DE19-4232-9375-043E01BB7B4C}\SentPriUpdateToIpBinary Data 13241300x80000000000000007996773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:19:44.200{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{78DD5CD2-DE19-4232-9375-043E01BB7B4C}\SentUpdateToIpBinary Data 13241300x80000000000000007996772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:19:44.200{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{78DD5CD2-DE19-4232-9375-043E01BB7B4C}\DnsServersBinary Data 13241300x80000000000000007996771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:19:44.200{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{78DD5CD2-DE19-4232-9375-043E01BB7B4C}\HostAddrsBinary Data 13241300x80000000000000007996770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:19:44.200{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{78DD5CD2-DE19-4232-9375-043E01BB7B4C}\PrimaryDomainNameattackrange.local 13241300x80000000000000007996769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:19:44.200{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{78DD5CD2-DE19-4232-9375-043E01BB7B4C}\AdapterDomainName(Empty) 13241300x80000000000000007996768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:19:44.200{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{78DD5CD2-DE19-4232-9375-043E01BB7B4C}\Hostnamewin-dc-128 10341000x80000000000000007996767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:44.200{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000007996766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:19:44.200{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{78DD5CD2-DE19-4232-9375-043E01BB7B4C}\RegisteredSinceBootDWORD (0x00000001) 23542300x80000000000000007996765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:44.185{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE33DA6419DC17BAAF47048A7AB93526,SHA256=B31213698AB9203E21BC22881E1F3A439CFCA7298D3A675D4701548F34C3CDB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007996764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:41.956{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local50862- 354300x80000000000000007996763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:41.956{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local50862-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domain 354300x80000000000000007996762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:41.362{3BF36828-DD0D-60DD-1200-00000000C801}396C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-128.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.us-west-2.compute.internal67bootps 10341000x800000000000000015901309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:44.123{B81B27B7-EB1F-60DD-812A-00000000C701}49884024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015901308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:43.998{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D67D7C2B0029860B1A083669B3DC485C,SHA256=4362838F5658B6E18E20C4657E9B36A355DE7518E3E761384B405B4FCCA94F01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:43.998{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF2910EA8D58349861C5A56565D83898,SHA256=D510A499A6278CD9FE3C74F00073DA298A30B5D901DAA8855591D95391853E67,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:45.559{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B110DC2A2EE6650CD64C469809A8445,SHA256=D3A505E84F1FFBE36F27EE44A52516580D1F57E1F017A08561986FCBFF29F634,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007996780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:42.269{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local62373-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:45.342{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D67D7C2B0029860B1A083669B3DC485C,SHA256=4362838F5658B6E18E20C4657E9B36A355DE7518E3E761384B405B4FCCA94F01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:44.998{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF91885CE9B24C93D75868BF24E23029,SHA256=153A658C93D9E1AE7103254CD99182BF114A9F42B80365FBD360ACDDD52295CC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:46.934{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35C86008976E732EE7E9E27673350F1B,SHA256=D6304134B867B452433F94973D5947631DCB5B0E2EED1123A20C8A639830BDE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007996797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:43.405{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local65535- 354300x80000000000000007996796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:43.405{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local62147-false10.0.1.14win-dc-128.attackrange.local53domain 354300x80000000000000007996795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:43.405{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local62147- 354300x80000000000000007996794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:43.405{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:9840:b51e:8f82:ffff-62147-truea00:10e:0:0:0:0:0:0win-dc-128.attackrange.local53domain 354300x80000000000000007996793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:43.405{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local56816- 354300x80000000000000007996792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:43.404{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local50858- 354300x80000000000000007996791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:43.404{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local50858-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domain 354300x80000000000000007996790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:43.404{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local57413- 354300x80000000000000007996789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:43.400{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61051-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007996788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:43.400{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61051-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007996787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:43.399{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local51635- 354300x80000000000000007996786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:43.398{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-128.attackrange.local61050-false10.0.1.14win-dc-128.attackrange.local53domain 354300x80000000000000007996785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:43.398{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-128.attackrange.local61050-false10.0.1.14win-dc-128.attackrange.local53domain 354300x80000000000000007996784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:43.396{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local50858- 354300x80000000000000007996783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:43.396{3BF36828-DD0D-60DD-1400-00000000C801}1048C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-128.attackrange.local50858-false10.0.1.14win-dc-128.attackrange.local53domain 354300x80000000000000007996782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:43.396{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local57302- 354300x800000000000000015901313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:44.464{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52089-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:46.031{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F405B8BFE99344CA4655AA286E3AD54E,SHA256=A88647194AF46BC50ABCF6D5276B1059148E7BFF44C3FB28290A01929C63855A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015901328Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:47.578{B81B27B7-EB23-60DD-822A-00000000C701}54364512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901327Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:47.437{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EB23-60DD-822A-00000000C701}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901326Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:47.437{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901325Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:47.437{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:47.437{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:47.437{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:47.437{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:47.437{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:47.437{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:47.437{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:47.437{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:47.437{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-EB23-60DD-822A-00000000C701}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:47.437{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EB23-60DD-822A-00000000C701}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:47.438{B81B27B7-EB23-60DD-822A-00000000C701}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:47.062{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFFC67693AA3A5923D084CEA84E82B16,SHA256=BCA699D61B90BE41891ADA820368F3D69355012D213232D0A232BFBA8D94619B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:48.298{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33DB45F1BE749D8338256728823116DF,SHA256=8DF1FA781CB32F3C48CA9DE80E805610F7E3AA7735C8E21F2312565E023EC3BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015901358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:48.925{B81B27B7-EB24-60DD-842A-00000000C701}27443128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:48.784{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EB24-60DD-842A-00000000C701}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:48.784{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:48.784{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:48.784{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:48.784{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:48.784{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:48.784{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:48.784{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:48.784{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:48.784{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:48.784{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-EB24-60DD-842A-00000000C701}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:48.784{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EB24-60DD-842A-00000000C701}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:48.785{B81B27B7-EB24-60DD-842A-00000000C701}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:48.441{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76335A13BD3C5EC00D11A41F9D4E3C1E,SHA256=E7220917A8E74507A19564BE6BAF76454A3037B8E688EFE1F292555426BF0987,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015901343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:48.253{B81B27B7-EB24-60DD-832A-00000000C701}60484900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:48.112{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EB24-60DD-832A-00000000C701}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:48.112{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:48.112{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901339Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:48.112{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901338Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:48.112{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901337Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:48.112{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901336Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:48.112{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901335Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:48.112{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901334Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:48.112{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901333Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:48.112{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901332Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:48.112{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-EB24-60DD-832A-00000000C701}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901331Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:48.112{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EB24-60DD-832A-00000000C701}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901330Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:48.113{B81B27B7-EB24-60DD-832A-00000000C701}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901329Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:48.065{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CC377EA9A0708D370A8752C96A7A9FB,SHA256=3504AD16AD4765A180E0B52E6ED6011520CD914CBB2922A5CC1871311438638E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:49.689{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB9D7282974150B82BC3F7A5C60E81E9,SHA256=4A59FAE50B249217A9A17B54E98EDECADD4799E3705CC96DD2BE4178E6593B10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901373Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:49.800{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=854FC60F5C31BD4C83B7666AF0D25D5D,SHA256=308FC2F5627239251B91D36983D59322B43951EA8E83DA2CB1328F2DDECC2FE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:49.628{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08690503C8D5B0B03A39DADFFEA2E353,SHA256=947FE8FCFBF9A6B342AFF8C90A25068E493730D45FF60D3B6E9E8D8BA6664183,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015901371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:49.456{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EB25-60DD-852A-00000000C701}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:49.456{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:49.456{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:49.456{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:49.456{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:49.456{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:49.456{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:49.456{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:49.456{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:49.456{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:49.456{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-EB25-60DD-852A-00000000C701}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:49.456{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EB25-60DD-852A-00000000C701}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:49.457{B81B27B7-EB25-60DD-852A-00000000C701}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007996801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:47.429{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61052-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901374Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:50.503{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00CB9DF9C70AC9F53CCE0703960D3B3F,SHA256=63BD51D29AB6270351020EDF86EC41F0DA2933681572F41992B1C9EC0FBE3D3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:51.736{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FB71E15CD0EC7D13B1DC22A0D2A0511,SHA256=4CDCB701E6FBC27C9C9F452404FECA030B3EDCBF2FF9816EC30094FF9B4F2F3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007996802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:51.048{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9ED8C3A0A7D5F464559BF69B5A4B7A8,SHA256=C6AB7C9ED6E01BA369A81C79BE76F4F7A34474C8F99CD0BAF3EF821683FAD657,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000015901377Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:19:51.909{B81B27B7-880A-60DC-1100-00000000C701}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d76e94-0xebafc1a7) 354300x800000000000000015901376Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:49.500{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52090-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901375Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:51.534{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB79C3F5A261EAB2A2839880261E74E,SHA256=A8855B7825DE5385589415A86D32006673D3BE85C1505B531A4E151098C0036B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:52.408{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C2C781A9C86D1EBDCEB7B2B42AC04EC,SHA256=49AC236D6EC885EEFE2DA8C216DC6F7BDA8F4B5098AC457CB9A2AD85B97FD437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901378Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:52.550{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D713149CA777E15F2377B7CAEBC9033,SHA256=82169AD96C3922429F34D400FBF276B2599938501F96213002527A7D01B55714,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:53.783{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEC2E2B78AED9BB2D1A5DCD45E4379F5,SHA256=1BBA9D4E4DEAA11F1CC798C45F7BBA9FD972B16F0E61872453F4B585D5C37B9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901379Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:53.566{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=259BB9FC95B3985677FBBA703189BDB0,SHA256=30BA353C5F878629F611CCD64ADB416A6EE6D3744F6DFFDA191CD1E564997335,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015901381Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:54.894{B81B27B7-880A-60DC-0B00-00000000C701}6401524C:\Windows\system32\lsass.exe{B81B27B7-8806-60DC-0100-00000000C701}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000015901380Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:54.597{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19BA8AC905DCA4FD11161952D12782AB,SHA256=44E2853F081EAFBF0112DC26EABAF48AB25A807C2B5761F9158D3FBE8D36E63B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:55.142{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBAF21C84AE53D9C8E58C28316970596,SHA256=18477696731C077C1EC1F413E0C1D3B726FB9C9B0EC8FC4AD3313A95AAEBE63E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:55.613{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF2DBB4DD2301E3BF84396C605402B9F,SHA256=AC63EAC2FB9A584A34A7690702354298EB7B21452F5C272ED7B52A3565D61B68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:55.457{B81B27B7-880A-60DC-1000-00000000C701}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=777502152F05A23569CDDB38CC05E037,SHA256=7ED3F2B83F343EBB369FC1300C5A5A1555ED2F0A724D454E621E457E3D7A05BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:56.501{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71A824248A0242C3F2FB07E23CB4F01,SHA256=C9E082948F0D233660FF165BF43D4BAEB3B419F7EABAFE72CDE125372CCDC9FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007996807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:53.304{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61053-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:56.660{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3BD4108A9E0A5620CE883213C0D0597,SHA256=2568A37C66D3F40CF48BDA43AC08433863980B08E69326473AB953DCA83B18EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:54.207{B81B27B7-8806-60DC-0100-00000000C701}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52091-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal445microsoft-ds 23542300x80000000000000007996810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:57.876{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B47FF5F93E9383AA6AA0AA257A47D44,SHA256=9FA43AF7D622F0DCC203EBF4D9CDAAA5D03C874F60D128E074505B1221648025,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007996809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:54.136{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-98752091-false10.0.1.14win-dc-128.attackrange.local445microsoft-ds 354300x800000000000000015901387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:55.531{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52092-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:57.691{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BCB3FD21C6D8633EF54AB9E3E94EF0A,SHA256=817F06A1F7494C9CD50A386553EA14306ED28FB1F9E048FE16CC5EE1A30D4638,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:58.549{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=054CF560F81AF89949828A6ECD634507,SHA256=871B19FF8950641340D1767693CEBB3CCA90BD82244CBB2BA67110E168E85D53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:58.707{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E604587AF66F45B10065354AAE6E20D6,SHA256=877E956DE88966A0672ECA0FB64AA3C8D351B263FBEB541822DEF2C5A5703105,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:59.906{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60260495E79F53ACC33B4818698ECFAB,SHA256=C9144050C0572ABB6F5683679311FD90195EC8B3A14AA08C2EADF94F54F1786E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:59.722{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F54F61A44775D91D5B9100F4F8C6C59,SHA256=8B5EDBF4833C9A4425BC2B3BCECD4BDD6C015A2D913CE6D8857AC5212158F73D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007996813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:19:58.368{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61054-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:00.722{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E24EFDB02E40B546756FEE9ACAB8E77,SHA256=0FA0E49BFAC7C313ED558C39EA42987501932F40665272928E33FF857557B631,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:01.285{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1BCEDDE740BEB3832B2FC775960F08E,SHA256=ED3FF3802D5F2BFACBB64EB2139B8F2E4895D3D2DA63BB2BF632FDAABC7F32EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007996814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:01.285{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2812A0357010AC00DAB45DEBE37636D5,SHA256=04C55485AFA14F865BAB78E65F7350817A120E30CE60E7BEE98E6C74CCE7FA64,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015901392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:19:59.577{B81B27B7-880A-60DC-1100-00000000C701}988C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-987.attackrange.local123ntpfalse169.254.169.123-123ntp 23542300x800000000000000015901391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:01.738{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A13CA9E2C536F24CA30D2FF47C8ABB18,SHA256=0D048DF0D9CD5DE6DC69C2B39C7F787630032D759414DF3617A5821415316FE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:02.644{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08E4DDBD4FEE570B5A0118636CCF914E,SHA256=71FFA45F39B3D5014EBC1D0AC582B768B50320B9A751E30F00C71529E81439A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:02.832{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A76125C3A68B35BF2BB84BD93B320E2,SHA256=043E1E17F9E819FDFD3B13BF74E4BF75AC57801E1C3C1D8504CEF918B54018C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901395Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:03.879{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4352FF3C12036D82F070FED2E05AB2B5,SHA256=F5EA9ECF62EF27DD9BAE2DF3FE508684DB0EC67130EE0CA8A1D8B0395B130684,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:01.374{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52093-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901396Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:04.894{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70E5568C8440FCB49921FBA82D832A8F,SHA256=D9D64BE6D49B05EAD82F19A191A6B4C75CDC610B8C7FA91FC04D0AE52C918A41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:05.363{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C69847C8514CAAF00FCD92BA6E080FA,SHA256=2F07F326A28BB9DD4F47200966F7508D4A6556DB61CFFD578395F2B0840BE7BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901397Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:05.925{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F28DB588DA8821C557726E54B9CD28,SHA256=F2C0C0A41ED9EB98ED53DCC0520D52E589FE88DB9FB861B8712058EF5CA6765D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:06.363{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=481B1075C41B74BCEFDE48DC705F2628,SHA256=23555400A2A2EF3AD5F8F7FB2184C81F9042A3272559590C28EB2C190532B9EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901398Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:06.940{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4332AC265E7C3F4257908F19ECC450CD,SHA256=03ED5B3334E2DD7300D2A8E65BBD68C96B2A074893770F05AE9CFE45913000B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007996820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:04.369{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61055-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007996819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:07.738{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC1C31C6BB4C7788E155054DBF28BA32,SHA256=B93A3148CE8DDD667CEE98AD2868535D11131CB3A094C2549EBAC3ADE5EFBCB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901400Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:07.940{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C72056C8EF034F086C351E6FADB36F76,SHA256=36F628C03209D84BF346501FEB56987A49BDBD6C2FCAD96AA7F19DA9D26B9DC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000015901399Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:20:07.909{B81B27B7-880A-60DC-1100-00000000C701}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d76e94-0xf5391ebf) 23542300x800000000000000015901402Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:08.956{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D90A77027BC625F0886B367B2E94EEBB,SHA256=2CB52563CB293ABCDDAB7EB90873833B9E92C3CC1CF46671F3C4C2E6B592A927,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901401Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:06.436{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52094-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007996821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:09.109{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=358617D32CDD4E96DA99CFA65B7867F9,SHA256=625620022AECF03F6431857C6FD75D189A427F8BFD6AD381149BDAFDC0D8A3FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007996822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:10.469{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E86A80333E34006503A68D19268D26,SHA256=1A161385BE27EE5344F7DCFF8389C6C8EAE0BD698E0DCEB68B752D3710096D4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901403Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:10.050{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1FD6ACFB0D3F35DD8C13288CF9DCDAC,SHA256=6823DD93FA2843CAF8D3D305E286A4BB184F99B4CB6B8D68CEE7F13082E529E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:11.844{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9B30FE538485B9724E294A31C749100,SHA256=A09BD9F0972A7B2E9E16DAC4AE915C0DE2CBF3DCB8C3B8E1D113DB38015F5634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007996823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:11.844{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=240E9E0B4988A51B5F13DD074263D186,SHA256=2F97C30B595D9CE5FA509EC5412023CE2515D22424091F480450D2A621B54304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901404Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:11.065{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7244B30D701C316EE0F7E8780D956274,SHA256=359843FF1646288275FA4EFAEDB7DC668947869082C1890F7C06194D2876F53C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901405Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:12.096{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F1A10E14A9C65AF9186BB3A4CBE15F6,SHA256=C8ACD3381DE88F21E4804B3FBF38EDD5B0442C125BFF07C40476FDACAF28FA54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:13.203{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C7037E241B09DD9A85252FFBE2C3402,SHA256=BB0ED05FDF196282A68EB297CE117C1E85F083C3ED212EEB0164477FE3E72EBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007996827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:10.850{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61057-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007996826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:10.850{3BF36828-DD1D-60DD-2F00-00000000C801}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61057-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007996825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:10.256{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61056-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901406Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:13.112{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C1A0FAC4DC39B04E3D0284A1B0CECD,SHA256=08EC08350351860F1959880215F9820049E3D1F0F71E76EF468E179493E8F7F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:14.578{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11719935A47CCCD18FAE2194F6DEEC74,SHA256=B91B07724883CAF78861630AADAE83703CF5AFC4B188C4D52A13EF530B16F2A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901408Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:14.112{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79D229BEA55A8B03392017F634937873,SHA256=9940568197F4B6ADB310836573849BB9AE799D56AEDFE071B770E73140A8022B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901407Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:11.514{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52095-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007996830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:15.937{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9091C6D2265A4C25C7FA011EFA36DC84,SHA256=A5C6B7810D42887E26BC99B06696FF9F1E6F7D5586211CC89E90EE62A59DCDBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901409Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:15.128{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E41720AA37DEB9780E90C28A7FB8AB9,SHA256=7133853F2EC6C037F6032A749AEAA6E4BA468902030B18F40BB81690F5E4F2E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901410Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:16.143{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34D009B544AC3AD41836984665F0A13,SHA256=65DF986B64D1C70C3D9ADD39FC5943E1747B181E6CC6CEBB0556CF7A2DE305EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:17.312{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C22D831C9B2FC924B4181D33B81BB476,SHA256=60E9173468FAF80147504481FA9BE5E02DE065B804E53C674F5818AB49EFBEE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901411Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:17.159{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A617F19014F4B0E8483EDB1364953A7D,SHA256=3410ACE45FDBCEA7503DE5388039EB2723EA637D110668954045C356FBB889DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007996884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.812{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007996883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.812{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007996882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.812{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007996881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.703{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007996880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.703{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007996879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.703{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007996878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.703{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007996877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.703{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007996876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.703{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007996875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.703{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007996874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.703{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007996873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007996872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007996871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007996870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007996869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007996868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007996867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007996866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007996865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007996864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007996863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007996862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007996861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007996860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007996859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007996858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007996857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007996856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007996855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007996854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007996853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007996852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007996851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007996850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007996849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007996848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007996847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000007996846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007996845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007996844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007996843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007996842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007996841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x80000000000000007996840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007996835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007996834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.690{3BF36828-EB42-60DD-5C02-00000000C801}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007996833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:18.687{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FA33AE55ACEEA52133660F5A5371073,SHA256=5779F366AE501114DFD8B45E897E268E9A5302E46FFA8F440B760D7C1FD0C3BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007996832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:15.396{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61058-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901412Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:18.175{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E2ED4C38889726306C9BF7240B07F42,SHA256=0FB8BDF7690CA714149EFEC153907C5BA7DC3CFD9AD2FA3E17F78FDDB76BB2F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007996935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.484{3BF36828-EB43-60DD-5D02-00000000C801}50482040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007996934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.484{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007996933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.484{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007996932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.375{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007996931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.375{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007996930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.375{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007996929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.375{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007996928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.375{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007996927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.375{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007996926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.375{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007996925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.375{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007996924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.375{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007996923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007996922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007996921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007996920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007996919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007996918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007996917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007996916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007996915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007996914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007996913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007996912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007996911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007996910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007996909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007996908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007996907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007996906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007996905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007996904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007996903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007996902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007996901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007996900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007996899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007996898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007996897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007996896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007996895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007996894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007996893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007996892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x80000000000000007996891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007996886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.359{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007996885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.361{3BF36828-EB43-60DD-5D02-00000000C801}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901413Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:19.190{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2CED3AE4C8E1E9874BE44A0138BE442,SHA256=8C2175976187DDCA7E185C53434C2E86C897D84042AAD5C068BC08DF973E2DD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:20.750{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2AD16A24449A4E347365980842B5B99,SHA256=FF12010D51085D7D5230B1240990257E56AD234B5BDB025D53054CC7F1D9ED63,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000007996939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:20:20.406{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\D370F6FF-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_D370F6FF-0000-0000-0000-100000000000.XML 13241300x80000000000000007996938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:20:20.406{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CA735696-6C26-4910-BF98-1B50C97DCBCC\Config SourceDWORD (0x00000001) 13241300x80000000000000007996937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:20:20.406{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CA735696-6C26-4910-BF98-1B50C97DCBCC\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_CA735696-6C26-4910-BF98-1B50C97DCBCC.XML 23542300x80000000000000007996936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:20.047{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC4F33121E581269F17D02F36E9FE071,SHA256=4926DFD660CD348DB9D5A95758D78F29BFBF856086831F5DB83C0BEF73AEF15A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901415Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:20.222{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EA040688B708107A2CF73F8A3A828E9,SHA256=2D84C1207EC94332898AD7401171E984979D919570646AE9AFC045CC41727991,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901414Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:17.514{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52096-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007996943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:21.437{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFACB1C1B9098AC8054125C598661F49,SHA256=EE41DDFD4B264F9EB2E3C288B28435960C6010B3C15DEC5BD5B92955C57C2E34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007996942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:21.437{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E69E1F43D74590D4E092F6D91F5F7BE,SHA256=E426FEE153729F52DEBA3BEDA98064C4E012560C67314E03C606D5194F4DB0EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007996941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:21.203{3BF36828-DD1D-60DD-3000-00000000C801}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:21.237{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA317541C94386E5FC47F9E227054A86,SHA256=6303AE16EA614C615D0C8F9703E1BB1ED764834200652FD78D3CDAF551ED5CCA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:22.859{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A5CBAB90566B18AF9025B29D1AD5594,SHA256=C8A556366EDD8E90AD2C3D3A52A930EBEA81EED8F36A736C9B7708B72B1AD408,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007996949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.620{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61061-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000007996948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.620{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61061-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000007996947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.614{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61060-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000007996946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.614{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61060-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000007996945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.601{3BF36828-DD0D-60DD-0D00-00000000C801}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61059-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 354300x80000000000000007996944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:19.601{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61059-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 23542300x800000000000000015901417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:22.253{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E6CC5C30983D52DD35544E494BB4910,SHA256=83E2F6042B0C117349988DAD16300B10B6C232EB89073EF39CBBE715070E978E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007996953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:23.593{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-DCF0-60DD-0100-00000000C801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000007996952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:23.593{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38CAC200E49753DA7CF0FFD904B2019D,SHA256=B1D4F5E24E5694F58C356D4A0E1711CC2B19A5234416B04D137454F7A5142672,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007996951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:20.380{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61062-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015901418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:23.253{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9A15812F28DC9D246E3E382AA1E33BA,SHA256=2ACE16AA1792A4F4BD02F86CE157FAA7DBAB0B140538CBD975802C042EACCBA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007996961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:24.968{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDB8F583CCAA9D397FB24250004FD83E,SHA256=BFA3F23D1959583168AD1DFCB201EC177926A7696A33085DFDAE38568258FAEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007996960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:22.680{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61066-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000007996959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:22.680{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61066-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000007996958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:22.680{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61065-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local49666- 354300x80000000000000007996957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:22.680{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61065-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local49666- 354300x80000000000000007996956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:22.679{3BF36828-DD0D-60DD-0D00-00000000C801}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61064-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 354300x80000000000000007996955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:22.679{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61064-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 354300x80000000000000007996954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:21.380{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61063-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:24.268{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=598B22BA6903CA949BD8DFAA42F86C89,SHA256=037B15408BEFF58871A1D7BA990F01100D59773A40CAC333C280EC2600B759D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007996977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:25.984{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007996976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:25.984{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\kernelbase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 13241300x80000000000000007996975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localInvDB-DriverVerSetValue2021-07-01 16:20:25.953{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exeHKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\1234\DriverVersion0.0.0.0 11241100x80000000000000007996974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localDLL2021-07-01 16:20:25.953{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\New\evil.dll2021-07-01 16:20:25.953 11241100x80000000000000007996973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localDLL2021-07-01 16:20:25.937{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\New\kernelbase.dll2021-07-01 16:20:25.937 11241100x80000000000000007996972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localDLL2021-07-01 16:20:25.937{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\New\UNIDRV.DLL2021-07-01 16:20:25.937 734700x80000000000000007996971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:25.875{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exeC:\Windows\System32\spinf.dll10.0.14393.0 (rs1_release.160715-1616)Windows SPINFMicrosoft® Windows® Operating SystemMicrosoft CorporationSPINF.DLLMD5=31EB34EF0BA43F1F106DD1F19A6A489B,SHA256=2A0002ACC6940D293E3E3FE2035C9AA0D639964F752C1C8C11ED867251E8D83C,IMPHASH=68DF7CC0AA1D7C3945224E1F9870BDA7trueMicrosoft WindowsValid 734700x80000000000000007996970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:25.875{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exeC:\Windows\System32\devrtl.dll10.0.14393.0 (rs1_release.160715-1616)Device Management Run Time LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationDEVRTL.DLLMD5=103D84E49F517098C0E8E14044BB1F73,SHA256=370BAADCA5D39C94A532D2E80EBA6CA537B47E41038A332412AEE4BBA5F025B9,IMPHASH=5DE6FAFA9C141BF53E629553C4AB42FBtrueMicrosoft WindowsValid 734700x80000000000000007996969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:25.875{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exeC:\Windows\System32\mscms.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Color Matching System DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCMS.DLLMD5=85508B678B5852611B112F61858CFC9B,SHA256=88BEBDCCD2532A4D62C4D5EFE475590513BAA7C90C0885FC68DC4451BD06DF8A,IMPHASH=9C1E7CCABDEA296D63CB0D1AF20AD0E3trueMicrosoft WindowsValid 734700x80000000000000007996968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:25.859{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exeC:\Windows\System32\ntprint.dll10.0.14393.4169 (rs1_release.210107-1130)Spooler Setup DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPRINTUI.DLLMD5=FCD56A8D372CFB6470F37F73DB5980E9,SHA256=7D6DBED9D573BC91B7DAEE45132696ACE13CAF76336B91C02E2BEE12512B7CAA,IMPHASH=41A92CD30D93B5E45AC65C66BC12C1F4trueMicrosoft WindowsValid 10341000x80000000000000007996967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:25.875{3BF36828-DD0D-60DD-1400-00000000C801}104892C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007996966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:25.656{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0957853B64D849431B282DFD7CEC68F,SHA256=C16F6B9378DAAA132738B3F6A14FCF7F5A5E073A167439F670AFAB1E5368325C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007996965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:22.791{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61068-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x80000000000000007996964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:22.791{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61068-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x80000000000000007996963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:22.686{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-128.attackrange.local61067-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x80000000000000007996962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:22.686{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61067-false10.0.1.14win-dc-128.attackrange.local389ldap 23542300x800000000000000015901421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:25.284{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC71D7E2B0D77DD7546938CEA6D5ED49,SHA256=C711DD805EBA88021EBC6051F25DC94B370A294ADDC801745176FE4DA482FA3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:22.545{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52097-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000007997033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.500{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007997032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.500{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007997031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.500{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007997030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.375{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007997029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.375{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007997028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.375{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007997027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.375{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007997026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.375{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007997025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.375{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007997024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.375{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007997023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.375{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007997022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007997021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007997020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007997019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007997018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007997017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007997016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007997015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007997014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007997013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007997012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007997011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007997010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007997009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007997008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007997007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007997006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007997005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007997004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007997003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007997002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007997001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007997000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007996999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007996998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007996997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007996996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007996995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007996994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007996993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007996992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007996991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x80000000000000007996990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007996989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007996988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007996987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007996986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x80000000000000007996985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007996981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007996980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.359{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007996979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:26.360{3BF36828-EB4A-60DD-5E02-00000000C801}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007996978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:25.984{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\UNIDRV.DLL10.0.14393.4046 (rs1_release.201028-1803)Unidrv Printer DriverMicrosoft® Windows® Operating SystemMicrosoft CorporationUNIDRV.DLLMD5=E436D98FF6EA2DEFCC71561E46718CF8,SHA256=24635AE9BC12B4133CE35EF96CACA51A269ECC320BC1CD9A257417D16959D087,IMPHASH=012DBD89908BD18476361E7B607D0AD9trueMicrosoft WindowsValid 23542300x800000000000000015901422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:26.300{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA2EEA01170135613348285159AC3BD3,SHA256=935157C74D2705714A08099184B67B127215D345A7B05CD7F33B961C86ABDC51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007997139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.874{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007997138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.874{3BF36828-EB4B-60DD-6002-00000000C801}35763008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.874{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007997136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.874{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007997135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.749{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007997134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.749{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007997133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.749{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007997132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.749{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007997131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.749{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007997130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.749{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007997129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.749{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007997128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.749{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007997127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007997126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007997125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007997124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007997123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007997122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007997121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007997120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007997119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007997118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007997117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007997116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007997115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007997114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007997113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007997112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007997111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007997110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007997109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007997108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007997107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007997106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007997105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007997104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007997103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007997102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007997101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007997100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007997098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007997097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007997096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007997095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007997090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007997089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.737{3BF36828-EB4B-60DD-6002-00000000C801}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007997088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.734{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=385292A05220365693DD460C97FB27B5,SHA256=9FC7C584AD8B1D8F910479725462D1F653D38CA469664B0DD5983DE12B9BFCE9,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007997087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.171{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007997086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.171{3BF36828-EB4B-60DD-5F02-00000000C801}32284696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.171{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007997084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.171{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007997083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.046{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007997082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.046{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007997081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.046{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007997080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.046{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007997079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.046{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007997078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.046{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007997077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.046{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007997076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.046{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x80000000000000007997075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9271AEBBF6CB38F12AEA15B38F149160,SHA256=8370F3C96C72D252911DD42C8DF84B1FECFBF8EE00C6DE17C5E50282EF82755E,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007997074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007997073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007997072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007997071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007997070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007997069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007997068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007997067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007997066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007997065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007997064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007997063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007997062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007997061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007997060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007997059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007997058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007997057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007997056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007997055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007997054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007997053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007997052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007997051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007997050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007997049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007997048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007997047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007997045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007997044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007997043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007997042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007997040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PrintService_OperationalMD5=76D5AD5B3EFF06373B4F4746FE3EB3D6,SHA256=6F9F9676375872085A3BF8D1C1E6D22806C460EA05624161289AF8A588FBE4A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007997039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007997036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007997035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.033{3BF36828-EB4B-60DD-5F02-00000000C801}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007997034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.031{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PrintService_OperationalMD5=F2A09B10EA72256AD81732A442DE4F7F,SHA256=F1DF2E5CCB263E824E4C0C64F0AA735C60EAA8C16C3113D3671B1ABD67C02FFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:27.315{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58CDA016FEA29152C42FD2668CF1794F,SHA256=566660254D27C442195FC4D91FFCE2C5106F46C6D44BF4AEE87D45CCFC5C4D70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007997194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.563{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007997193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.563{3BF36828-EB4C-60DD-6102-00000000C801}4660516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.563{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007997191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.563{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007997190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.438{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007997189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.438{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007997188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.438{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007997187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.438{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007997186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.438{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007997185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.438{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007997184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.438{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007997183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.438{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x80000000000000007997182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14E7E0D2E315A392F7C707EBECD545A4,SHA256=BC20CE74BAAC960C370AAC9DB1066AEE412FE5FA133F9D0FDE25B5291AB585F5,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007997181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007997180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007997179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007997178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007997177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007997176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007997175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007997174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007997173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007997172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007997171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007997170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007997169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007997168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007997167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007997166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007997165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007997164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007997163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007997162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007997161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007997160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007997159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007997158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007997157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007997156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007997155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007997154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007997153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007997151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007997150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007997149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x80000000000000007997148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007997143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.422{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007997142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:28.424{3BF36828-EB4C-60DD-6102-00000000C801}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007997141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:25.040{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61069-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal445microsoft-ds 354300x80000000000000007997140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:24.986{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.16ip-10-0-1-16.us-west-2.compute.internal48184-false10.0.1.14win-dc-128.attackrange.local445microsoft-ds 23542300x800000000000000015901425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:28.738{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:28.316{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52B985ABC93F08D2ACA0F7E5518F813F,SHA256=AD75D4FD98303A5922C456EA7DB178FF993965178F076F02070196897C5D4042,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007997247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.875{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61475D525047608A9B720D46E4E5E5D8,SHA256=184A5DDA06F8EF2723CD047F1DA1AD63B86A9DCD58AAF481546AD3161F483C7F,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007997246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.250{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007997245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.250{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007997244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.250{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007997243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.125{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007997242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.125{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007997241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.125{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007997240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.125{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007997239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.125{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007997238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.125{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007997237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.125{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007997236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007997235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007997234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007997233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007997232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007997231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007997230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000007997229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007997228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007997227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007997226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007997225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007997224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007997223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007997222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007997221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 23542300x80000000000000007997220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D611B9135542639F0120F0E0A62A50E,SHA256=25839E725250646F2BA307F36E4ED7761F6640718AC36B3313214FB1200A9845,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007997219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007997218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007997217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007997216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007997215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007997214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007997213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007997212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007997211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007997210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007997209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007997208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007997207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007997206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007997204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007997203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007997202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x80000000000000007997200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007997196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.110{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007997195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:29.112{3BF36828-EB4D-60DD-6202-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:29.316{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5964F1028C8326FFC96CF5FC099740E,SHA256=58D4F9402733D39A6AEED1C81885A1620C19E2B732578209502150FF1B39F81C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007997251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:30.578{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DCAB649708D3307E12879E725E91B76,SHA256=7802EFC9939AB8042E90A8EF8CDE7421610014B93CADDC95572AA39527E01E7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007997250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.522{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-128.attackrange.local62244-false10.0.0.2ip-10-0-0-2.us-west-2.compute.internal53domain 354300x80000000000000007997249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.522{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local55576- 354300x80000000000000007997248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:27.303{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61070-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000015901429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:28.437{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52099-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000015901428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:28.030{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52098-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015901427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:30.332{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4BD06158AE7ADAAFDA6B3714F04E643,SHA256=771919B24A5B968B1C360EFC3A25F0524DAFBCAAC788E39DED692BCB0208D039,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007997252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:31.328{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F697986FFC12184055064B4A12A060D,SHA256=A074A88681B334C1FEF5CCF5BD25302135D396DBED4F43BC233EBFCFD094FC2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:31.348{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4439765DBB906241AF4E6B48008B350,SHA256=EABE3B7C27A6E4C4F74F4B7BDD20C0F9D206A5EFC05D5B0FA6BDA3FBBC7F5D0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007997254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:32.813{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA41D38799E60623B4D4ECEA05460894,SHA256=6DC70DFB787D310E1D5409A6C154A55ADAD9D01F184D0C2A982362A5B581F762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007997253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:32.063{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F38BA7FBF0E398B1557ACDB6243DFA6C,SHA256=36572C95C0BDE474AA242C003D7B853029B0BB9DF2229064AD733AED58E3D7B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:32.363{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F2DE3C2CD2BC9CE16681AB33055728F,SHA256=F7DF193969F612D9CE93A4D0A149F26F6F8B7148774FEC18C7817972FA14EE09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:33.379{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFB11501A0B90FB88483BEB0355C3627,SHA256=3E129DEE34449F6F8031DDE3F8643E95A0B0286A3247828B3FC96773FA499E9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007997255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:34.266{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E24C25CA7E1B4D84ED4B5A4AB7D5B5E3,SHA256=056DA50C0A10E4896D423885B772E7E2E25AAAE44CF3FEAE8D115704BA10CEBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:34.379{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B91B60955BD56C2DA875FFF7B95E21A9,SHA256=366DB637A33CCAC83EB75D2453A4BB121C142377B564FCE37D9E8BCFFD0BEFE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007997256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:32.365{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61071-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000015901435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:33.562{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52100-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:35.394{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92803A54564D4D5F9571386C013B2FD6,SHA256=4EF9180658BBECB4478AA197488E464959049C8CF803FB1A1248D26439EE46FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007997574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.969{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A98CDDD3BD3711CA7F5E3B6269B7AC15,SHA256=3D4849B40684A8EF8BE19582BA7C2A5A1B8DEB7DB0F6FC2BD8282B688A1A1FE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007997573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.969{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7066C70574BC7A2309D1EF12544F0B81,SHA256=9A924CFA374BB2F3FEB983F3F8C5ED6B1A31936D043DEF0FA9F66621B81388F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007997572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.969{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C1799C1D37E93995201650E9753C673A,SHA256=9EDDE59ECC0DB26FAACA343AC5593CCBBE5DE16CC375520E1B33198C7A014731,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007997571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.922{3BF36828-EB54-60DD-6902-00000000C801}15723592C:\Windows\system32\WerFault.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\system32\wer.dll+37d6c|C:\Windows\system32\wer.dll+382c4|C:\Windows\system32\wer.dll+38c5a|C:\Windows\system32\wer.dll+13c54|C:\Windows\system32\wer.dll+6476|C:\Windows\system32\faultrep.dll+b61e|C:\Windows\system32\faultrep.dll+8864|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.891{3BF36828-EB54-60DD-6902-00000000C801}15723592C:\Windows\system32\WerFault.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\dbgeng.dll+280c4d|C:\Windows\SYSTEM32\dbgeng.dll+27c807|C:\Windows\SYSTEM32\dbgeng.dll+181398|C:\Windows\SYSTEM32\dbgeng.dll+1818e6|C:\Windows\SYSTEM32\dbgeng.dll+18746d|C:\Windows\SYSTEM32\dbgeng.dll+394cb|C:\Windows\SYSTEM32\dbgeng.dll+3932a|C:\Windows\SYSTEM32\dbgeng.dll+4dadb|C:\Windows\system32\faultrep.dll+110f3|C:\Windows\system32\faultrep.dll+97ee|C:\Windows\system32\faultrep.dll+b375|C:\Windows\system32\faultrep.dll+8864|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.891{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x80000000000000007997568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.891{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007997567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.891{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007997566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.891{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\DbgModel.dll10.0.14321.1024 (debuggers(dbg).190305-1856)Windows Debugger Data ModelMicrosoft® Windows® Operating SystemMicrosoftDbgModel.DllMD5=5C0CB6EEB206114097FF8AE23623EABC,SHA256=B831287C9EDA9AE16291EEE1B3E3B62C9EC6A3FAFFDD215DC294AEBE7D741460,IMPHASH=582F1BF95ACB46724010A4BAB33FFA2BtrueMicrosoft WindowsValid 734700x80000000000000007997565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.891{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x80000000000000007997564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.891{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\dbgeng.dll10.0.14321.1024 (rs1_release.190305-1856)Windows Symbolic Debugger EngineMicrosoft® Windows® Operating SystemMicrosoftDbgEng.DllMD5=551A3B8C43F0C5977DC9F0EB118544C0,SHA256=0198852F19BAF5F32CECC8B6A1543D068B3C8DEFA6A71137C951D267D737D9DB,IMPHASH=3C1576CA310AF2169815CAE63D89B47FtrueMicrosoft WindowsValid 734700x80000000000000007997563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.875{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x80000000000000007997562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.875{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=5541A4A7FB64063F8AFB192ABD4DAE70,SHA256=AABF2E6C392F29B77F076BF705976B68B3100138BC63060335BD154B8417754D,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x80000000000000007997561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.875{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007997560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.875{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007997559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.875{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007997558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.875{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x80000000000000007997557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.875{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x80000000000000007997556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.875{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x80000000000000007997555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.875{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 734700x80000000000000007997554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.875{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007997553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.875{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x80000000000000007997552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.875{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\aepic.dll10.0.19645.1032 (WinBuild.160101.0800)Application Experience Program CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationaepic.dllMD5=44537C14A81BC46E513E3284E08201B3,SHA256=05F30E8C2B215A187D2F317137A1DA5B2461BB345B55FA93EB7B0EAA150C1AB5,IMPHASH=01EB9BD88724091CA18150F23E332599trueMicrosoft WindowsValid 10341000x80000000000000007997551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.875{3BF36828-EB54-60DD-6902-00000000C801}15723592C:\Windows\system32\WerFault.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\system32\faultrep.dll+f0f8|C:\Windows\system32\faultrep.dll+8762|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.875{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007997549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.875{3BF36828-EB54-60DD-6902-00000000C801}15723592C:\Windows\system32\WerFault.exe{3BF36828-EB54-60DD-6A02-00000000C801}3456C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6614|C:\Windows\SYSTEM32\ntdll.dll+58dbb|C:\Windows\System32\KERNELBASE.dll+b780d|C:\Windows\system32\faultrep.dll+84bb|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.828{3BF36828-EB54-60DD-6902-00000000C801}15723592C:\Windows\system32\WerFault.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\faultrep.dll+80af|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.828{3BF36828-EB54-60DD-6902-00000000C801}15723592C:\Windows\system32\WerFault.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\WerFault.exe+15a6e|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.828{3BF36828-EB54-60DD-6902-00000000C801}15723592C:\Windows\system32\WerFault.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\WerFault.exe+1599f|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.828{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007997544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.828{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007997543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.828{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007997542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.828{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007997541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.828{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x80000000000000007997540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.828{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007997539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.828{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007997538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.828{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\Faultrep.dll10.0.14393.4402 (rs1_release.210426-1725)Windows User Mode Crash Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationfaultrep.dllMD5=6C00350227C90474B506650038D5C833,SHA256=54F0229A11A8087917952453F80C1244B4FCB74BF74518D28DB4333A591BBBF7,IMPHASH=0B5226C9569A08D86C4BC35F49183A6BtrueMicrosoft WindowsValid 734700x80000000000000007997537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.828{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x80000000000000007997536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.828{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x80000000000000007997535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.828{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007997534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.828{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=D8CD8451D1E194230F18866AD6EFE5E7,SHA256=9977AA1287962035C24DF806DDA67F09FFE9BDF696DBA507D749C624AE1C178D,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x80000000000000007997533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.828{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007997532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.828{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007997531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.828{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007997530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.828{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\wer.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=65C4FEDB972CDE71C2AF0F5AFA1C1C15,SHA256=63C1A7AC782F15980F47972E5B481C2E80EBCD1A2A497EAE93F469BD266CC638,IMPHASH=64F80A25C9178937C2771969A7448641trueMicrosoft WindowsValid 734700x80000000000000007997529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.828{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x80000000000000007997528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.828{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007997527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.813{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007997526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.813{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007997525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.813{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007997524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.813{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007997523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.813{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007997522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.813{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007997521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.813{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007997520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.813{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exeC:\Windows\System32\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeMD5=1C7DB4A4F28D9003E4AC027D9F486B7E,SHA256=F4EF776BE91D69CA06E0C67848634C9C764DBA7B47365B643CFFC181B24EA51D,IMPHASH=4D7307CFBDBD0C5F1319B1CF5C054CA6trueMicrosoft WindowsValid 10341000x80000000000000007997519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.813{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.813{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.813{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.813{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.813{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\system32\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007997514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.813{3BF36828-EB54-60DD-6502-00000000C801}38724820C:\Windows\System32\svchost.exe{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\system32\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|c:\windows\system32\faultrep.dll+6abb|c:\windows\system32\faultrep.dll+7121|c:\windows\system32\wersvc.dll+b0bc|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+7794|c:\windows\system32\wersvc.dll+6c93|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007997513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.823{3BF36828-EB54-60DD-6902-00000000C801}1572C:\Windows\System32\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\system32\WerFault.exe -u -p 2868 -s 1924C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=1C7DB4A4F28D9003E4AC027D9F486B7E,SHA256=F4EF776BE91D69CA06E0C67848634C9C764DBA7B47365B643CFFC181B24EA51D,IMPHASH=4D7307CFBDBD0C5F1319B1CF5C054CA6{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe 10341000x80000000000000007997512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.813{3BF36828-EB54-60DD-6502-00000000C801}38724820C:\Windows\System32\svchost.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+b039|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+7794|c:\windows\system32\wersvc.dll+6c93|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.813{3BF36828-EB54-60DD-6502-00000000C801}38724820C:\Windows\System32\svchost.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ae29|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+7794|c:\windows\system32\wersvc.dll+6c93|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.813{3BF36828-EB54-60DD-6502-00000000C801}38724820C:\Windows\System32\svchost.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x50C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+8a50|c:\windows\system32\wersvc.dll+86ec|c:\windows\system32\wersvc.dll+7794|c:\windows\system32\wersvc.dll+6c93|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.813{3BF36828-EB54-60DD-6502-00000000C801}38724820C:\Windows\System32\svchost.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1441C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+7050|c:\windows\system32\wersvc.dll+6c93|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.797{3BF36828-EB54-60DD-6802-00000000C801}3860288C:\Windows\system32\WerFault.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\system32\wer.dll+37d6c|C:\Windows\system32\wer.dll+382c4|C:\Windows\system32\wer.dll+38c5a|C:\Windows\system32\wer.dll+13c54|C:\Windows\system32\wer.dll+6476|C:\Windows\system32\faultrep.dll+b61e|C:\Windows\system32\faultrep.dll+8864|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.766{3BF36828-EB54-60DD-6802-00000000C801}3860288C:\Windows\system32\WerFault.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\dbgeng.dll+280c4d|C:\Windows\SYSTEM32\dbgeng.dll+27c807|C:\Windows\SYSTEM32\dbgeng.dll+181398|C:\Windows\SYSTEM32\dbgeng.dll+1818e6|C:\Windows\SYSTEM32\dbgeng.dll+18746d|C:\Windows\SYSTEM32\dbgeng.dll+394cb|C:\Windows\SYSTEM32\dbgeng.dll+3932a|C:\Windows\SYSTEM32\dbgeng.dll+4dadb|C:\Windows\system32\faultrep.dll+110f3|C:\Windows\system32\faultrep.dll+97ee|C:\Windows\system32\faultrep.dll+b375|C:\Windows\system32\faultrep.dll+8864|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.766{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x80000000000000007997505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.766{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007997504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.766{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007997503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.766{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\DbgModel.dll10.0.14321.1024 (debuggers(dbg).190305-1856)Windows Debugger Data ModelMicrosoft® Windows® Operating SystemMicrosoftDbgModel.DllMD5=5C0CB6EEB206114097FF8AE23623EABC,SHA256=B831287C9EDA9AE16291EEE1B3E3B62C9EC6A3FAFFDD215DC294AEBE7D741460,IMPHASH=582F1BF95ACB46724010A4BAB33FFA2BtrueMicrosoft WindowsValid 734700x80000000000000007997502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.766{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x80000000000000007997501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.766{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\dbgeng.dll10.0.14321.1024 (rs1_release.190305-1856)Windows Symbolic Debugger EngineMicrosoft® Windows® Operating SystemMicrosoftDbgEng.DllMD5=551A3B8C43F0C5977DC9F0EB118544C0,SHA256=0198852F19BAF5F32CECC8B6A1543D068B3C8DEFA6A71137C951D267D737D9DB,IMPHASH=3C1576CA310AF2169815CAE63D89B47FtrueMicrosoft WindowsValid 734700x80000000000000007997500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.750{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x80000000000000007997499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.750{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=5541A4A7FB64063F8AFB192ABD4DAE70,SHA256=AABF2E6C392F29B77F076BF705976B68B3100138BC63060335BD154B8417754D,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x80000000000000007997498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.750{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007997497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.750{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007997496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.750{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007997495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.750{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x80000000000000007997494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.750{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x80000000000000007997493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.750{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x80000000000000007997492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.750{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 734700x80000000000000007997491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.750{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007997490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.750{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x80000000000000007997489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.750{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\aepic.dll10.0.19645.1032 (WinBuild.160101.0800)Application Experience Program CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationaepic.dllMD5=44537C14A81BC46E513E3284E08201B3,SHA256=05F30E8C2B215A187D2F317137A1DA5B2461BB345B55FA93EB7B0EAA150C1AB5,IMPHASH=01EB9BD88724091CA18150F23E332599trueMicrosoft WindowsValid 10341000x80000000000000007997488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.750{3BF36828-EB54-60DD-6802-00000000C801}3860288C:\Windows\system32\WerFault.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\system32\faultrep.dll+f0f8|C:\Windows\system32\faultrep.dll+8762|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.750{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007997486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.750{3BF36828-EB54-60DD-6802-00000000C801}3860288C:\Windows\system32\WerFault.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\faultrep.dll+80af|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.750{3BF36828-EB54-60DD-6802-00000000C801}3860288C:\Windows\system32\WerFault.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\WerFault.exe+15a6e|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.750{3BF36828-EB54-60DD-6802-00000000C801}3860288C:\Windows\system32\WerFault.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\WerFault.exe+1599f|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.750{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007997482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.750{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007997481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.750{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007997480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.750{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007997479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.750{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x80000000000000007997478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.734{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007997477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.734{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\Faultrep.dll10.0.14393.4402 (rs1_release.210426-1725)Windows User Mode Crash Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationfaultrep.dllMD5=6C00350227C90474B506650038D5C833,SHA256=54F0229A11A8087917952453F80C1244B4FCB74BF74518D28DB4333A591BBBF7,IMPHASH=0B5226C9569A08D86C4BC35F49183A6BtrueMicrosoft WindowsValid 734700x80000000000000007997476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.734{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007997475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.734{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x80000000000000007997474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.734{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x80000000000000007997473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.734{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007997472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.734{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=D8CD8451D1E194230F18866AD6EFE5E7,SHA256=9977AA1287962035C24DF806DDA67F09FFE9BDF696DBA507D749C624AE1C178D,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x80000000000000007997471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.734{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007997470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.734{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007997469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.734{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007997468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.734{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\wer.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=65C4FEDB972CDE71C2AF0F5AFA1C1C15,SHA256=63C1A7AC782F15980F47972E5B481C2E80EBCD1A2A497EAE93F469BD266CC638,IMPHASH=64F80A25C9178937C2771969A7448641trueMicrosoft WindowsValid 734700x80000000000000007997467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.734{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x80000000000000007997466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.734{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007997465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.734{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007997464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.734{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007997463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.734{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007997462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.734{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007997461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.734{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007997460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.734{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007997459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.734{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007997458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.734{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.734{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exeC:\Windows\System32\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeMD5=1C7DB4A4F28D9003E4AC027D9F486B7E,SHA256=F4EF776BE91D69CA06E0C67848634C9C764DBA7B47365B643CFFC181B24EA51D,IMPHASH=4D7307CFBDBD0C5F1319B1CF5C054CA6trueMicrosoft WindowsValid 10341000x80000000000000007997456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.734{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.734{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.734{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.734{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\system32\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007997452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.734{3BF36828-EB54-60DD-6502-00000000C801}38724820C:\Windows\System32\svchost.exe{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\system32\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|c:\windows\system32\faultrep.dll+6abb|c:\windows\system32\faultrep.dll+7121|c:\windows\system32\wersvc.dll+b0bc|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007997451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.741{3BF36828-EB54-60DD-6802-00000000C801}3860C:\Windows\System32\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\system32\WerFault.exe -u -p 2868 -s 1848C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=1C7DB4A4F28D9003E4AC027D9F486B7E,SHA256=F4EF776BE91D69CA06E0C67848634C9C764DBA7B47365B643CFFC181B24EA51D,IMPHASH=4D7307CFBDBD0C5F1319B1CF5C054CA6{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe 10341000x80000000000000007997450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.734{3BF36828-EB54-60DD-6502-00000000C801}38724820C:\Windows\System32\svchost.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+b039|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.734{3BF36828-EB54-60DD-6502-00000000C801}38724820C:\Windows\System32\svchost.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ae29|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.734{3BF36828-EB54-60DD-6502-00000000C801}38724820C:\Windows\System32\svchost.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x50C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+8a50|c:\windows\system32\wersvc.dll+86ec|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.734{3BF36828-DD1D-60DD-2500-00000000C801}28682904C:\Windows\System32\spoolsv.exe{3BF36828-EB54-60DD-6702-00000000C801}4948C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6614|C:\Windows\SYSTEM32\ntdll.dll+58dbb|C:\Windows\SYSTEM32\ntdll.dll+696b|C:\Windows\SYSTEM32\ntdll.dll+75bf|C:\Windows\SYSTEM32\ntdll.dll+6787|C:\Windows\SYSTEM32\ntdll.dll+ae746|C:\Windows\SYSTEM32\ntdll.dll+96776|C:\Windows\SYSTEM32\ntdll.dll+aa70d|C:\Windows\SYSTEM32\ntdll.dll+349c3|C:\Windows\SYSTEM32\ntdll.dll+366d9|C:\Windows\SYSTEM32\ntdll.dll+bfbd1|C:\Windows\SYSTEM32\ntdll.dll+52385|C:\Windows\system32\spool\DRIVERS\x64\3\evil.dll+1194|C:\Windows\system32\spool\DRIVERS\x64\3\evil.dll+11d8|C:\Windows\SYSTEM32\ntdll.dll+1859f|C:\Windows\SYSTEM32\ntdll.dll+71d1e|C:\Windows\SYSTEM32\ntdll.dll+71b6b|C:\Windows\SYSTEM32\ntdll.dll+2d7dd|C:\Windows\SYSTEM32\ntdll.dll+18b4d|C:\Windows\SYSTEM32\ntdll.dll+1512d|C:\Windows\SYSTEM32\ntdll.dll+11c4c|C:\Windows\System32\KERNELBASE.dll+25b2f|C:\Windows\system32\winspool.drv+52cd|C:\Windows\system32\winspool.drv+6a93 734700x80000000000000007997446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.687{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\webio.dll10.0.14393.3866 (rs1_release.200805-1327)Web Transfer Protocols APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwebio.dllMD5=0CE65DF03820B5523EFE7D20258E6F0A,SHA256=9224732E1A7761866BB479C91A02C561F77B203EB20914F4ED0AF8FE320E8FF6,IMPHASH=72061958A1119B16F6B4694A68C7F8CBtrueMicrosoft WindowsValid 734700x80000000000000007997445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.641{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\DbgModel.dll10.0.14321.1024 (debuggers(dbg).190305-1856)Windows Debugger Data ModelMicrosoft® Windows® Operating SystemMicrosoftDbgModel.DllMD5=5C0CB6EEB206114097FF8AE23623EABC,SHA256=B831287C9EDA9AE16291EEE1B3E3B62C9EC6A3FAFFDD215DC294AEBE7D741460,IMPHASH=582F1BF95ACB46724010A4BAB33FFA2BtrueMicrosoft WindowsValid 734700x80000000000000007997444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.625{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\dbgeng.dll10.0.14321.1024 (rs1_release.190305-1856)Windows Symbolic Debugger EngineMicrosoft® Windows® Operating SystemMicrosoftDbgEng.DllMD5=551A3B8C43F0C5977DC9F0EB118544C0,SHA256=0198852F19BAF5F32CECC8B6A1543D068B3C8DEFA6A71137C951D267D737D9DB,IMPHASH=3C1576CA310AF2169815CAE63D89B47FtrueMicrosoft WindowsValid 10341000x80000000000000007997443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.672{3BF36828-EB54-60DD-6602-00000000C801}6762244C:\Windows\system32\WerFault.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\system32\wer.dll+37d6c|C:\Windows\system32\wer.dll+382c4|C:\Windows\system32\wer.dll+38c5a|C:\Windows\system32\wer.dll+13c54|C:\Windows\system32\wer.dll+6476|C:\Windows\system32\faultrep.dll+b61e|C:\Windows\system32\faultrep.dll+8864|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.672{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\dhcpcsvc.dll10.0.14393.3930 (rs1_release.200901-1914)DHCP Client ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc.dllMD5=CD3B9633BBEF2102C4665A2C39EC0B1A,SHA256=341EFB4806BE39E09AA90CA3B069C39F2A9D61FA9B512350B2721D41875AFCAE,IMPHASH=9A2F821D250C4CEBC0627590331B869DtrueMicrosoft WindowsValid 734700x80000000000000007997441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.672{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\dhcpcsvc6.dll10.0.14393.3930 (rs1_release.200901-1914)DHCPv6 ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc6.dllMD5=1721EAC44BCFC7177AA664ADCA514F23,SHA256=C099BCCE44A04A48147DE8CF093EBF997510154113789BF31394B5148F60B375,IMPHASH=1278B10B4CD792CEC37AF93D76A387ECtrueMicrosoft WindowsValid 734700x80000000000000007997440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.672{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x80000000000000007997439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.641{3BF36828-EB54-60DD-6602-00000000C801}6762244C:\Windows\system32\WerFault.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\dbgeng.dll+280c4d|C:\Windows\SYSTEM32\dbgeng.dll+27c807|C:\Windows\SYSTEM32\dbgeng.dll+181398|C:\Windows\SYSTEM32\dbgeng.dll+1818e6|C:\Windows\SYSTEM32\dbgeng.dll+18746d|C:\Windows\SYSTEM32\dbgeng.dll+394cb|C:\Windows\SYSTEM32\dbgeng.dll+3932a|C:\Windows\SYSTEM32\dbgeng.dll+4dadb|C:\Windows\system32\faultrep.dll+110f3|C:\Windows\system32\faultrep.dll+97ee|C:\Windows\system32\faultrep.dll+b375|C:\Windows\system32\faultrep.dll+8864|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.641{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x80000000000000007997437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.641{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007997436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.641{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007997435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.625{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x80000000000000007997434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.562{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x80000000000000007997433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.547{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=5541A4A7FB64063F8AFB192ABD4DAE70,SHA256=AABF2E6C392F29B77F076BF705976B68B3100138BC63060335BD154B8417754D,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x80000000000000007997432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.547{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007997431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.547{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007997430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.547{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007997429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.547{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x80000000000000007997428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.547{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x80000000000000007997427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.547{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x80000000000000007997426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.547{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 734700x80000000000000007997425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.391{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\aepic.dll10.0.19645.1032 (WinBuild.160101.0800)Application Experience Program CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationaepic.dllMD5=44537C14A81BC46E513E3284E08201B3,SHA256=05F30E8C2B215A187D2F317137A1DA5B2461BB345B55FA93EB7B0EAA150C1AB5,IMPHASH=01EB9BD88724091CA18150F23E332599trueMicrosoft WindowsValid 734700x80000000000000007997424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.391{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007997423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.391{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x80000000000000007997422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.359{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeMD5=1C7DB4A4F28D9003E4AC027D9F486B7E,SHA256=F4EF776BE91D69CA06E0C67848634C9C764DBA7B47365B643CFFC181B24EA51D,IMPHASH=4D7307CFBDBD0C5F1319B1CF5C054CA6trueMicrosoft WindowsValid 10341000x80000000000000007997421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.375{3BF36828-EB54-60DD-6602-00000000C801}6762244C:\Windows\system32\WerFault.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\system32\faultrep.dll+f0f8|C:\Windows\system32\faultrep.dll+8762|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.375{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007997419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.359{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.3541 (rs1_release_inmarket.200218-2047)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=E1BDF589E27B64D6637852872F4BA1D0,SHA256=C79B6A4AD264169C5B6F177083FD17C26832CD6A838DB697C7BC3C533A162733,IMPHASH=239D379DAEC05CA48775D7DD3AA4BFCAtrueMicrosoft WindowsValid 10341000x80000000000000007997418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.375{3BF36828-EB54-60DD-6602-00000000C801}6762244C:\Windows\system32\WerFault.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\faultrep.dll+80af|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.375{3BF36828-EB54-60DD-6602-00000000C801}6762244C:\Windows\system32\WerFault.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\WerFault.exe+15a6e|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.375{3BF36828-EB54-60DD-6602-00000000C801}6762244C:\Windows\system32\WerFault.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\WerFault.exe+1599f|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.375{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007997414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.375{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007997413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.375{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007997412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.359{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\gpapi.dll10.0.14393.3986 (rs1_release.201002-1707)Group Policy Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationgpapi.dllMD5=601EDCF334B3DA561BE85560BFAB4831,SHA256=69422D4F7B2E9673178761052D25718F2F1F1D7D5B0962798ECAC66C123FB207,IMPHASH=54A7A105E11720BE50C587CF0CFA8828trueMicrosoft WindowsValid 734700x80000000000000007997411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.375{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007997410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.375{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x80000000000000007997409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.375{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007997408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.375{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007997407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.375{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\Faultrep.dll10.0.14393.4402 (rs1_release.210426-1725)Windows User Mode Crash Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationfaultrep.dllMD5=6C00350227C90474B506650038D5C833,SHA256=54F0229A11A8087917952453F80C1244B4FCB74BF74518D28DB4333A591BBBF7,IMPHASH=0B5226C9569A08D86C4BC35F49183A6BtrueMicrosoft WindowsValid 734700x80000000000000007997406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.375{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x80000000000000007997405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.359{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x80000000000000007997404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.359{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007997403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.344{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4,IMPHASH=D74AB287506D6E20949755E75302AD32trueMicrosoft WindowsValid 734700x80000000000000007997402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.359{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=D8CD8451D1E194230F18866AD6EFE5E7,SHA256=9977AA1287962035C24DF806DDA67F09FFE9BDF696DBA507D749C624AE1C178D,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x80000000000000007997401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.359{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007997400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.359{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007997399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.359{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007997398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.359{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\wer.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=65C4FEDB972CDE71C2AF0F5AFA1C1C15,SHA256=63C1A7AC782F15980F47972E5B481C2E80EBCD1A2A497EAE93F469BD266CC638,IMPHASH=64F80A25C9178937C2771969A7448641trueMicrosoft WindowsValid 734700x80000000000000007997397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.359{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x80000000000000007997396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.359{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007997395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.359{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007997394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.359{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007997393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.359{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007997392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.359{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007997391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.328{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeC:\Windows\System32\dsrole.dll10.0.14393.0 (rs1_release.160715-1616)DS Setup Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationDSROLE.DLLMD5=2A319EC8DF0FB5C46CF311B9D2B65B1D,SHA256=62B8900EFDF4B30E54E11232A8DA95DBF066DAEFD364A66EB99ADC028A3798F7,IMPHASH=E4AC0A0BD42B7356347D6A1BE150F6A6trueMicrosoft WindowsValid 734700x80000000000000007997390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.359{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007997389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.359{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007997388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.359{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007997387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.359{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.359{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.359{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.359{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.359{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\system32\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007997382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.359{3BF36828-EB54-60DD-6502-00000000C801}38724820C:\Windows\System32\svchost.exe{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\system32\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|c:\windows\system32\faultrep.dll+6abb|c:\windows\system32\faultrep.dll+7121|c:\windows\system32\wersvc.dll+b0bc|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.328{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\Faultrep.dll10.0.14393.4402 (rs1_release.210426-1725)Windows User Mode Crash Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationfaultrep.dllMD5=6C00350227C90474B506650038D5C833,SHA256=54F0229A11A8087917952453F80C1244B4FCB74BF74518D28DB4333A591BBBF7,IMPHASH=0B5226C9569A08D86C4BC35F49183A6BtrueMicrosoft WindowsValid 154100x80000000000000007997380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.361{3BF36828-EB54-60DD-6602-00000000C801}676C:\Windows\System32\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\system32\WerFault.exe -u -p 2868 -s 1908C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=1C7DB4A4F28D9003E4AC027D9F486B7E,SHA256=F4EF776BE91D69CA06E0C67848634C9C764DBA7B47365B643CFFC181B24EA51D,IMPHASH=4D7307CFBDBD0C5F1319B1CF5C054CA6{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe 734700x80000000000000007997379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.328{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeC:\Windows\System32\SecureTimeAggregator.dll10.0.14393.0 (rs1_release.160715-1616)Secure Time AggregatorMicrosoft® Windows® Operating SystemMicrosoft CorporationSecureTimeAggregatorMD5=C8D7AAF88D1B0CD4F1E9CB5F1C7C10E2,SHA256=013A30810DFDB696A459268A04DE20A3F1A6DD45C39C64A5ED653A3FD8A67B26,IMPHASH=D8ABAAD965A5013E5970F3B2DE9BF83FtrueMicrosoft WindowsValid 10341000x80000000000000007997378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.344{3BF36828-DD0B-60DD-0B00-00000000C801}6521204C:\Windows\system32\lsass.exe{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.344{3BF36828-DD0B-60DD-0B00-00000000C801}6521204C:\Windows\system32\lsass.exe{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.344{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007997375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.344{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007997374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.344{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007997373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.328{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\weretw.dll10.0.14393.4169 (rs1_release.210107-1130)WERETW.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWERETW.DLLMD5=1325BA707320C3DC1024560DEA903AD9,SHA256=227376F2B461D7B2539F223E92CFBCBD5EA7DAE182BF277D7D0B2951CAC42B8A,IMPHASH=98C7835D04831B61A0DE6D0C77BFC4A6trueMicrosoft WindowsValid 734700x80000000000000007997372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.344{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FE,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x80000000000000007997371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.344{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007997370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.344{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=D8CD8451D1E194230F18866AD6EFE5E7,SHA256=9977AA1287962035C24DF806DDA67F09FFE9BDF696DBA507D749C624AE1C178D,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x80000000000000007997369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.344{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30E,IMPHASH=8F811B713271A0FEFA798FB95D523A8BtrueMicrosoft WindowsValid 10341000x80000000000000007997368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.344{3BF36828-EB54-60DD-6502-00000000C801}38724820C:\Windows\System32\svchost.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+b039|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.344{3BF36828-EB54-60DD-6502-00000000C801}38724820C:\Windows\System32\svchost.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ae29|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.344{3BF36828-EB54-60DD-6502-00000000C801}38724820C:\Windows\System32\svchost.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x50C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+8a50|c:\windows\system32\wersvc.dll+86ec|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.344{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843,IMPHASH=EAA4328F5E33714FA08C71E4AAE43CC1trueMicrosoft WindowsValid 734700x80000000000000007997364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.344{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4,IMPHASH=B6A1A16A2B5E910045E998CD7709E966trueMicrosoft WindowsValid 734700x80000000000000007997363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.328{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4,IMPHASH=D9603397C5B04530FFA0321E70FF2308trueMicrosoft WindowsValid 734700x80000000000000007997362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.344{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=D8CD8451D1E194230F18866AD6EFE5E7,SHA256=9977AA1287962035C24DF806DDA67F09FFE9BDF696DBA507D749C624AE1C178D,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x80000000000000007997361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.344{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x80000000000000007997360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.344{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x80000000000000007997359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.344{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4,IMPHASH=334E5331674424695F9872596E2677C7trueMicrosoft WindowsValid 734700x80000000000000007997358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.344{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007997357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.344{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007997356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.344{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007997355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.344{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007997354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.344{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007997353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.344{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_a13eaee9d8fd5c07\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=C89866876D676708892DEEA04A886CDA,SHA256=6C498F9AFFC75DFAADDACB9D1D4248862622FB2B06F0A410BA303A26FEADFF2B,IMPHASH=49FE37530A5C395ADDDAFC2730B16DDDtrueMicrosoft WindowsValid 734700x80000000000000007997352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.344{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007997351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.344{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007997350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.344{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x80000000000000007997349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.328{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007997348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.328{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007997347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.328{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007997346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.328{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\wersvc.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Error Reporting ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationwersvcMD5=193135059F1C51D94EDE4A196C9BE8AF,SHA256=58EF2A62BAFD27ADDC1894A07CE82B7A14F51AA5CDE3CE5C4AD53959C104C6CF,IMPHASH=DF07322327D9F19DBC97D47B526818ACtrueMicrosoft WindowsValid 734700x80000000000000007997345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.328{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x80000000000000007997344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.328{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x80000000000000007997343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.328{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x80000000000000007997342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.328{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\wer.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=65C4FEDB972CDE71C2AF0F5AFA1C1C15,SHA256=63C1A7AC782F15980F47972E5B481C2E80EBCD1A2A497EAE93F469BD266CC638,IMPHASH=64F80A25C9178937C2771969A7448641trueMicrosoft WindowsValid 734700x80000000000000007997341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.328{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007997340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.328{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007997339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.328{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007997338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.328{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007997337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.328{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007997336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.328{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007997335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.328{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\urlmon.dll11.00.14393.4402 (rs1_release.210426-1725)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=3562767F9C1D8359A735D4F64A9733F5,SHA256=7E60D82C417779D316000AD376BE9BA2CD14728616F35289E34E47CC6839620B,IMPHASH=198DE5B70ABFFE7B73AD088D655B26D1trueMicrosoft WindowsValid 10341000x80000000000000007997334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-DD0B-60DD-0A00-00000000C801}6442912C:\Windows\system32\services.exe{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007997332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6trueMicrosoft Windows PublisherValid 734700x80000000000000007997331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007997330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007997329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007997328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1,IMPHASH=77951C1B66390D48C5FC7B47D7C8668AtrueMicrosoft WindowsValid 734700x80000000000000007997327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007997326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 734700x80000000000000007997325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007997324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\winhttp.dll10.0.14393.4169 (rs1_release.210107-1130)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=24995B62FFC2519B34A2145673BD275F,SHA256=BB7D4DE1BE6111462F65F999A8969DA04113F15A80D534A93D3CCC76A9FE1F22,IMPHASH=F1FC6BF3699C289EBAF914A7771E49CDtrueMicrosoft WindowsValid 734700x80000000000000007997323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007997322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007997321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007997320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355,IMPHASH=FE994282C73F9AB11AC9B6E37AC26B47trueMicrosoft WindowsValid 10341000x80000000000000007997319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000007997318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x80000000000000007997317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-DD0B-60DD-0A00-00000000C801}6442924C:\Windows\system32\services.exe{3BF36828-EB54-60DD-6502-00000000C801}3872C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+17f9d|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007997315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 10341000x80000000000000007997314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 10341000x80000000000000007997310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007997308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x80000000000000007997307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x80000000000000007997306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 10341000x80000000000000007997305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-DD1D-60DD-2500-00000000C801}28682904C:\Windows\System32\spoolsv.exe{3BF36828-EB54-60DD-6402-00000000C801}5028C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6614|C:\Windows\SYSTEM32\ntdll.dll+58dbb|C:\Windows\SYSTEM32\ntdll.dll+696b|C:\Windows\SYSTEM32\ntdll.dll+75bf|C:\Windows\SYSTEM32\ntdll.dll+6787|C:\Windows\SYSTEM32\ntdll.dll+fe33a|C:\Windows\SYSTEM32\ntdll.dll+ae01b|C:\Windows\SYSTEM32\ntdll.dll+96776|C:\Windows\SYSTEM32\ntdll.dll+a57e2|C:\Windows\SYSTEM32\ntdll.dll+aa70d|C:\Windows\SYSTEM32\ntdll.dll+349c3|C:\Windows\SYSTEM32\ntdll.dll+366d9|C:\Windows\SYSTEM32\ntdll.dll+bfbd1|C:\Windows\SYSTEM32\ntdll.dll+52385|C:\Windows\system32\spool\DRIVERS\x64\3\evil.dll+1194|C:\Windows\system32\spool\DRIVERS\x64\3\evil.dll+11d8|C:\Windows\SYSTEM32\ntdll.dll+1859f|C:\Windows\SYSTEM32\ntdll.dll+71d1e|C:\Windows\SYSTEM32\ntdll.dll+71b6b|C:\Windows\SYSTEM32\ntdll.dll+2d7dd|C:\Windows\SYSTEM32\ntdll.dll+18b4d|C:\Windows\SYSTEM32\ntdll.dll+1512d|C:\Windows\SYSTEM32\ntdll.dll+11c4c|C:\Windows\System32\KERNELBASE.dll+25b2f 734700x80000000000000007997304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007997303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007997302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007997301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007997300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007997297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.312{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007997296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.297{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007997295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.297{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=5541A4A7FB64063F8AFB192ABD4DAE70,SHA256=AABF2E6C392F29B77F076BF705976B68B3100138BC63060335BD154B8417754D,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x80000000000000007997294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.281{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\imagehlp.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT Image HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationIMAGEHLP.DLLMD5=E1C665DC0FD5A7423B0C0F5325A1027F,SHA256=8B84BE9335EF640ABAA8E8BBA45C6BC77F2251359D4BCC157235CB4BC107AE69,IMPHASH=C88C4D131D277C03F0879B4E0D5679DBtrueMicrosoft WindowsValid 734700x80000000000000007997293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.266{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6CtrueMicrosoft WindowsValid 734700x80000000000000007997292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.281{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\wininet.dll11.00.14393.4402 (rs1_release.210426-1725)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=27D3D531D0EA9B3EE7F54C4DE5A15946,SHA256=05254BA3332E887C9F97D42406A7C2CEE4DF405ECAF39391968FD472CC4F1F89,IMPHASH=B3ABC7D59C2B1ACAEECA63C53B0AAC4BtrueMicrosoft WindowsValid 734700x80000000000000007997291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.281{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x80000000000000007997290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.281{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007997289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.266{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007997288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.266{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007997287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.266{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007997286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.266{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007997285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.266{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\evil.dll-----MD5=2E095DF3D3FC82B6171F548DA0699833,SHA256=4033B2A0206F4B4E915CFB0912954F6C169D2D3545090AA72AEBF6910596F0B8,IMPHASH=22647E5B96F2DE81D003F25D98D7D2DCfalse-Unavailable 10341000x80000000000000007997284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.266{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.266{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.266{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.266{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.266{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007997279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.266{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007997278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.266{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007997277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.266{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007997276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.266{3BF36828-DD1D-60DD-2500-00000000C801}28682904C:\Windows\System32\spoolsv.exe{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+5fc62|C:\Windows\System32\KERNELBASE.dll+5f7f6|C:\Windows\System32\KERNEL32.DLL+1bcc3|C:\Windows\system32\spool\DRIVERS\x64\3\evil.dll+10d9|C:\Windows\system32\spool\DRIVERS\x64\3\evil.dll+11d8|C:\Windows\SYSTEM32\ntdll.dll+1859f|C:\Windows\SYSTEM32\ntdll.dll+71d1e|C:\Windows\SYSTEM32\ntdll.dll+71b6b|C:\Windows\SYSTEM32\ntdll.dll+2d7dd|C:\Windows\SYSTEM32\ntdll.dll+18b4d|C:\Windows\SYSTEM32\ntdll.dll+1512d|C:\Windows\SYSTEM32\ntdll.dll+11c4c|C:\Windows\System32\KERNELBASE.dll+25b2f|C:\Windows\system32\winspool.drv+52cd|C:\Windows\system32\winspool.drv+6a93|C:\Windows\System32\PrintIsolationProxy.dll+605b|C:\Windows\System32\PrintIsolationProxy.dll+5234|C:\Windows\System32\localspl.dll+2c947|C:\Windows\System32\localspl.dll+2e4f2|C:\Windows\System32\localspl.dll+3f930|C:\Windows\System32\localspl.dll+3f588|C:\Windows\System32\localspl.dll+366f6 154100x80000000000000007997275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.275{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXErundll32.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe 13241300x80000000000000007997274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localInvDB-DriverVerSetValue2021-07-01 16:20:36.266{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exeHKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\1234\DriverVersion0.0.0.0 11241100x80000000000000007997273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localDLL2021-07-01 16:20:36.250{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\New\evil.dll2021-07-01 16:11:19.000 23542300x80000000000000007997272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.250{3BF36828-DD1D-60DD-2500-00000000C801}2868NT AUTHORITY\SYSTEMC:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\New\evil.dllMD5=2E095DF3D3FC82B6171F548DA0699833,SHA256=4033B2A0206F4B4E915CFB0912954F6C169D2D3545090AA72AEBF6910596F0B8,IMPHASH=22647E5B96F2DE81D003F25D98D7D2DCfalsetrue 11241100x80000000000000007997271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localDLL2021-07-01 16:20:36.250{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\New\evil.dll2021-07-01 16:11:19.000 11241100x80000000000000007997270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localDLL2021-07-01 16:20:36.250{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\New\UNIDRV.DLL2020-11-11 04:43:57.400 734700x80000000000000007997269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.250{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exeC:\Windows\System32\mscms.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Color Matching System DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCMS.DLLMD5=85508B678B5852611B112F61858CFC9B,SHA256=88BEBDCCD2532A4D62C4D5EFE475590513BAA7C90C0885FC68DC4451BD06DF8A,IMPHASH=9C1E7CCABDEA296D63CB0D1AF20AD0E3trueMicrosoft WindowsValid 734700x80000000000000007997268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.250{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exeC:\Windows\System32\ntprint.dll10.0.14393.4169 (rs1_release.210107-1130)Spooler Setup DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPRINTUI.DLLMD5=FCD56A8D372CFB6470F37F73DB5980E9,SHA256=7D6DBED9D573BC91B7DAEE45132696ACE13CAF76336B91C02E2BEE12512B7CAA,IMPHASH=41A92CD30D93B5E45AC65C66BC12C1F4trueMicrosoft WindowsValid 734700x80000000000000007997267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.234{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\UNIDRV.DLL10.0.14393.4046 (rs1_release.201028-1803)Unidrv Printer DriverMicrosoft® Windows® Operating SystemMicrosoft CorporationUNIDRV.DLLMD5=E436D98FF6EA2DEFCC71561E46718CF8,SHA256=24635AE9BC12B4133CE35EF96CACA51A269ECC320BC1CD9A257417D16959D087,IMPHASH=012DBD89908BD18476361E7B607D0AD9trueMicrosoft WindowsValid 734700x80000000000000007997266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.234{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\kernelbase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 13241300x80000000000000007997265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localInvDB-DriverVerSetValue2021-07-01 16:20:36.219{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exeHKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\1234\DriverVersion0.0.0.0 11241100x80000000000000007997264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localDLL2021-07-01 16:20:36.219{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\New\evil.dll2021-07-01 16:11:19.000 11241100x80000000000000007997263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localDLL2021-07-01 16:20:36.203{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\New\kernelbase.dll2021-04-14 04:03:54.303 11241100x80000000000000007997262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localDLL2021-07-01 16:20:36.203{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\New\UNIDRV.DLL2020-11-11 04:43:57.400 734700x80000000000000007997261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.203{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exeC:\Windows\System32\mscms.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Color Matching System DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCMS.DLLMD5=85508B678B5852611B112F61858CFC9B,SHA256=88BEBDCCD2532A4D62C4D5EFE475590513BAA7C90C0885FC68DC4451BD06DF8A,IMPHASH=9C1E7CCABDEA296D63CB0D1AF20AD0E3trueMicrosoft WindowsValid 734700x80000000000000007997260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.203{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exeC:\Windows\System32\ntprint.dll10.0.14393.4169 (rs1_release.210107-1130)Spooler Setup DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPRINTUI.DLLMD5=FCD56A8D372CFB6470F37F73DB5980E9,SHA256=7D6DBED9D573BC91B7DAEE45132696ACE13CAF76336B91C02E2BEE12512B7CAA,IMPHASH=41A92CD30D93B5E45AC65C66BC12C1F4trueMicrosoft WindowsValid 10341000x80000000000000007997259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.187{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\kerberos.DLL+61fca|C:\Windows\system32\kerberos.DLL+4d30e|C:\Windows\system32\kerberos.DLL+1ce2|C:\Windows\system32\lsasrv.dll+29641|C:\Windows\system32\lsasrv.dll+290b4|C:\Windows\system32\lsasrv.dll+2a316|C:\Windows\system32\lsasrv.dll+29665|C:\Windows\system32\lsasrv.dll+26321|C:\Windows\SYSTEM32\SspiSrv.dll+16e7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007997258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.187{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:36.187{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-DD1D-60DD-2500-00000000C801}2868C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015901436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:36.410{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4358F72F00826F36B564C491A649FA7,SHA256=A0F7DDD8F24074AAE7932A3EC0C3146702C97F9C241B9266CB235FDAB2313F23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007997610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.969{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PrintService_AdminMD5=EBA42499C1FA4B2FFC4B6B98643BE3F3,SHA256=FC92218A834FCA0CB833E4BAF63E303A164CEBC4DE2E9D1BA08660EA52F5B6D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007997609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.969{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7E1E4B8A544FF4EB3D5CDD68C14E5056,SHA256=E2E1FE66B3226DC0C06CEC7FEF4BFC4817A01EFF8492465C7375261AD3CC09DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007997608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.969{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PrintService_OperationalMD5=D850A6CB1E5B3FAF1EC98F74871635FA,SHA256=E3DFC4B609D409B8B77F2614E35D0732C80E4EA98A1E310F9CEABC807CF6B58A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007997607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.969{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PrintService_AdminMD5=A169F93DB70CDC6971D8C8A58B547439,SHA256=3A0960056F49A607845E3A106C8BAB02079F3CCA6E2B423C0C8266B8115A7DB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007997606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.969{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=957593537DF6A18F59C68340823CE114,SHA256=755031EDD963FA8B40B5CAC5DEA8F45AB058DDAA1055EA303C2B69314757A82E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007997605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.969{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A98CDDD3BD3711CA7F5E3B6269B7AC15,SHA256=3D4849B40684A8EF8BE19582BA7C2A5A1B8DEB7DB0F6FC2BD8282B688A1A1FE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007997604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.969{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PrintService_OperationalMD5=76D5AD5B3EFF06373B4F4746FE3EB3D6,SHA256=6F9F9676375872085A3BF8D1C1E6D22806C460EA05624161289AF8A588FBE4A7,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007997603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.875{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\System32\svchost.exeC:\Windows\System32\wevtapi.dll10.0.14393.3053 (rs1_release_inmarket.190612-1836)Eventing Consumption and Configuration APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtapi.dllMD5=E0D1C6AC18800339A2EC1134A7C899ED,SHA256=E4340ACB47A202B1BFCE678C44BA5B0B171E388021B0B7D0CED19A55AD9712E1,IMPHASH=4CAFDD735088F52AC974373982DCCDF2trueMicrosoft WindowsValid 734700x80000000000000007997602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.875{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\System32\svchost.exeC:\Windows\System32\fthsvc.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft Windows Fault Tolerant Heap Diagnostic ModuleMicrosoft® Windows® Operating SystemMicrosoft Corporationfthsvc.dllMD5=899E60FF3E315B4F05F591551A134835,SHA256=5F26E8E42740C9D72F71752F66D660FB3F0D52D532BAFE85310B51D377BA6081,IMPHASH=1B7508300DDB76E8C10637683D00FD51trueMicrosoft WindowsValid 734700x80000000000000007997601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.875{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\pcadm.dll10.0.14393.4402 (rs1_release.210426-1725)Program Compatibility Assistant Diagnostic ModuleMicrosoft® Windows® Operating SystemMicrosoft Corporation-MD5=49AA521CA535634166B336A5466AF84D,SHA256=68AA3CE5A6A108267C6B1CD2FCF948F4F05ADA3664D0A1BEAA3811C1E7D8D219,IMPHASH=87A3AD703BADD3DFEF6CD8454A33C4CEtrueMicrosoft WindowsValid 734700x80000000000000007997600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.875{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\System32\svchost.exeC:\Windows\System32\wdi.dll10.0.14393.0 (rs1_release.160715-1616)Windows Diagnostic InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationwdi.dllMD5=E7A7E8803E66B7CCED95D327A4DBC135,SHA256=401ECD953D4014A95C9022822D9ACEC1A68C917281DBA2365503A473FC6D9507,IMPHASH=C4D742A0EA60EA0359B282ACF9999522trueMicrosoft WindowsValid 734700x80000000000000007997599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.875{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\wdi.dll10.0.14393.0 (rs1_release.160715-1616)Windows Diagnostic InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationwdi.dllMD5=E7A7E8803E66B7CCED95D327A4DBC135,SHA256=401ECD953D4014A95C9022822D9ACEC1A68C917281DBA2365503A473FC6D9507,IMPHASH=C4D742A0EA60EA0359B282ACF9999522trueMicrosoft WindowsValid 17141700x80000000000000007997598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-CreatePipe2021-07-01 16:20:37.875{3BF36828-DD0D-60DD-1100-00000000C801}640\ProtectedPrefix\LocalService\FTHPIPEC:\Windows\system32\svchost.exe 734700x80000000000000007997597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.875{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\System32\svchost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_a13eaee9d8fd5c07\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=C89866876D676708892DEEA04A886CDA,SHA256=6C498F9AFFC75DFAADDACB9D1D4248862622FB2B06F0A410BA303A26FEADFF2B,IMPHASH=49FE37530A5C395ADDDAFC2730B16DDDtrueMicrosoft WindowsValid 734700x80000000000000007997596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.875{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\System32\svchost.exeC:\Windows\System32\wer.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=65C4FEDB972CDE71C2AF0F5AFA1C1C15,SHA256=63C1A7AC782F15980F47972E5B481C2E80EBCD1A2A497EAE93F469BD266CC638,IMPHASH=64F80A25C9178937C2771969A7448641trueMicrosoft WindowsValid 734700x80000000000000007997595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.875{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\System32\svchost.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117,IMPHASH=BF1AF19CCBABA6D54178C43BE36CD985trueMicrosoft WindowsValid 734700x80000000000000007997594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.875{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6,IMPHASH=46ADE2B067E724C7163A0B1902FEF225trueMicrosoft WindowsValid 734700x80000000000000007997593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.875{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\pcacli.dll10.0.14393.0 (rs1_release.160715-1616)Program Compatibility Assistant Client ModuleMicrosoft® Windows® Operating SystemMicrosoft Corporation-MD5=012B8825E588F74439D55115ED1FE5AD,SHA256=D646D30D2538E47FEFB9C1D5B323476B2701822FF6BCC91155C40BAA6710975E,IMPHASH=EE6E7AA59AC992D3937C01196243C8D7trueMicrosoft WindowsValid 10341000x80000000000000007997592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.875{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.875{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.875{3BF36828-DD0B-60DD-0B00-00000000C801}6521204C:\Windows\system32\lsass.exe{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007997589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:35.525{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61072-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal8000- 10341000x80000000000000007997588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.797{3BF36828-DD1D-60DD-2A00-00000000C801}21003104C:\Windows\sysmon64.exe{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.797{3BF36828-DD1D-60DD-2A00-00000000C801}21003104C:\Windows\sysmon64.exe{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007997586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:35.348{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.16ip-10-0-1-16.us-west-2.compute.internal48186-false10.0.1.14win-dc-128.attackrange.local445microsoft-ds 734700x80000000000000007997585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.453{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\explorer.exeC:\Windows\System32\PhotoMetadataHandler.dll10.0.14393.4169 (rs1_release.210107-1130)Photo Metadata HandlerMicrosoft® Windows® Operating SystemMicrosoft CorporationPhotoMetadataHandler.dllMD5=6FB0850ABAD1E8FDD1F662FCF819262C,SHA256=3EFCA956A159AE40CE292607EC59E4D258BDE13EAB51AFEF270FE55154CFA26E,IMPHASH=C204FCA51D1E4DDB2A7903D799C90765trueMicrosoft WindowsValid 734700x80000000000000007997584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.047{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6433F8201BFB449DC6B47F6999C2F164,SHA256=06729F1E0A0596620B48B6DC4A2CC9CC5FE55B17BD488C71F7F15AA4262C8C14,IMPHASH=50E2F760F0B39DC72CAD6892FEDF2F27trueMicrosoft WindowsValid 734700x80000000000000007997583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.047{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007997582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.031{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x80000000000000007997581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.031{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x80000000000000007997580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.016{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28,IMPHASH=A90D5BC867A86FBF8F4557CE6F216093trueMicrosoft WindowsValid 734700x80000000000000007997579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.031{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x80000000000000007997578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.031{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x80000000000000007997577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.016{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6,IMPHASH=46ADE2B067E724C7163A0B1902FEF225trueMicrosoft WindowsValid 734700x80000000000000007997576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.031{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x80000000000000007997575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:37.016{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x800000000000000015901437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:37.426{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD2B669E298EA8C87A3B7CD2876365AC,SHA256=E4A79F74237C377D759B1B5AB5FDDBC5E8011F5C7DFA9B8FBB7BEECEFFEF724E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:38.488{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B886813C8E800DA9D809649CCA2AA67A,SHA256=D57F4B03AF50779099A16612F012494E95C107D7F7BF07A719BD8E271F7D37FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007997616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:39.750{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=941197C29B5DAAB90805AD12E8D8FE59,SHA256=5B1C3B5D25DE1C4DE5F47CA14521B37F7CF27CB122DFD47C58DF539D2DD01886,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007997615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:35.885{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61073-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal8000- 10341000x80000000000000007997614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:39.609{3BF36828-DD1D-60DD-2A00-00000000C801}21003104C:\Windows\sysmon64.exe{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:39.609{3BF36828-DD1D-60DD-2A00-00000000C801}21003104C:\Windows\sysmon64.exe{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:39.516{3BF36828-DD0D-60DD-0D00-00000000C801}9241944C:\Windows\system32\svchost.exe{3BF36828-E975-60DD-2802-00000000C801}3792C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007997611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:39.062{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7E1E4B8A544FF4EB3D5CDD68C14E5056,SHA256=E2E1FE66B3226DC0C06CEC7FEF4BFC4817A01EFF8492465C7375261AD3CC09DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:39.488{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=357825A8EF5A74CEFC0F3DE8A5CC694F,SHA256=AD89CFA80265313DB5D015F5163D93453D71913A6328439EDFB6FC410D83391C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007997618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:38.256{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61074-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007997617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:40.500{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64AE262387E48F1C5D145714BB1EBEF5,SHA256=EA1D881AF23FAB3E659B59D85C74D69198B06FF6E9FFD0572B3A6362960D1390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:40.520{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F9D9B9621F0E08F6FB8FE7E7613EED,SHA256=05FA7F9D424D17DA85AB92DB2C0211826DBB9436BA12314632EFEE587266EED8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007997661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.984{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\ualapi.dll10.0.14393.2636 (rs1_release_1.181031-1836)Windows User Access LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationualapi.dllMD5=BBD8E839B4D33D7BB5761EC15C837EBF,SHA256=D52F179FBC42858904CFE0A743927756E6C722237A015A4D0A012F730D162C0C,IMPHASH=A9AB204CF2B4A1903B3FBA3C920BD357trueMicrosoft WindowsValid 734700x80000000000000007997660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.984{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007997659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.984{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x80000000000000007997658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.984{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007997657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.984{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x80000000000000007997656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.984{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x80000000000000007997655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.984{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007997654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.984{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007997653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.984{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x80000000000000007997652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.984{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x80000000000000007997651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.984{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007997650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.984{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x80000000000000007997649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.984{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 734700x80000000000000007997648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.969{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe10.0.14393.4169 (rs1_release.210107-1130)Spooler SubSystem AppMicrosoft® Windows® Operating SystemMicrosoft Corporationspoolsv.exeMD5=87E844BD124333302C9DCF947D98B3A3,SHA256=4C3316B6F7671B2E859B2BC98702C7973FB9BC7A6EA71EDB6ACDFE2CF23EB7A0,IMPHASH=A40033EBEE6E37CE4B1D96B817E1BCC7trueMicrosoft WindowsValid 10341000x80000000000000007997647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.984{3BF36828-DD0B-60DD-0A00-00000000C801}6442912C:\Windows\system32\services.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.984{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007997645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.984{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007997644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.984{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007997643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.984{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007997642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.969{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007997641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.969{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007997640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.969{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007997639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.969{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007997638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.969{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007997637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.969{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007997636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.969{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007997635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.969{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007997634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.969{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007997633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.969{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007997632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.969{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007997631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.969{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007997630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.969{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.969{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.969{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.969{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.969{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007997625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.969{3BF36828-DD0B-60DD-0A00-00000000C801}6442924C:\Windows\system32\services.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+435ad|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007997624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.970{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe10.0.14393.4169 (rs1_release.210107-1130)Spooler SubSystem AppMicrosoft® Windows® Operating SystemMicrosoft Corporationspoolsv.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=87E844BD124333302C9DCF947D98B3A3,SHA256=4C3316B6F7671B2E859B2BC98702C7973FB9BC7A6EA71EDB6ACDFE2CF23EB7A0,IMPHASH=A40033EBEE6E37CE4B1D96B817E1BCC7{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000007997623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.969{3BF36828-DD0B-60DD-0B00-00000000C801}6521204C:\Windows\system32\lsass.exe{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.969{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.969{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.969{3BF36828-DD0B-60DD-0B00-00000000C801}6521204C:\Windows\system32\lsass.exe{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007997619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:41.297{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE06671FF7AA252BF73901AF8F04661C,SHA256=DB86746193312E3A9380390FA3F9FE4E7605CBBC8FC2DD6D737E43AA94CF2940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:41.535{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C665FD5DE5CE4E48FE99E81BB0EF9E2,SHA256=3B425E5FE64CBE50144C1ECA8A36514D545682716DFD6C5FCC82B11FBD59B706,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:39.530{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52101-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007997669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:42.484{3BF36828-DD0D-60DD-1200-00000000C801}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E40B3A5724BCF49B09535ED2201D9DA9,SHA256=05131B4277B4115CCB3E4AF76E31D51845987CD2A1E25AB346E7D295BEBA22CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007997668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:42.062{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C9FF899FD5A12891EC3CB54293041E9,SHA256=6A3EE9FFF97F01FCA96CB4145FFD5C13FB99A8D99ED6C4B08E0B97F5BC9E7462,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007997667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:42.015{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\esent.dll10.0.14393.3686 (rs1_release.200504-1524)Extensible Storage Engine for Microsoft(R) Windows(R)Microsoft® Windows® Operating SystemMicrosoft Corporationesent.dllMD5=372653326F31FCCA92A05331BCC8C95D,SHA256=B300AF0A4651A44C4D7D344033EB6317480CEF6F9E24BE1B34DA75A1B00C1807,IMPHASH=637BF97067C7F0AB1E14497F0B9878AAtrueMicrosoft WindowsValid 17141700x80000000000000007997666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-CreatePipe2021-07-01 16:20:42.015{3BF36828-EB59-60DD-6B02-00000000C801}2024\Winsock2\CatalogChangeListener-7e8-0C:\Windows\System32\spoolsv.exe 734700x80000000000000007997665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:42.015{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 10341000x80000000000000007997664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:42.015{3BF36828-DD0B-60DD-0B00-00000000C801}6521204C:\Windows\system32\lsass.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:42.015{3BF36828-DD0B-60DD-0B00-00000000C801}6521204C:\Windows\system32\lsass.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:42.015{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 10341000x800000000000000015901456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:42.770{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EB5A-60DD-862A-00000000C701}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:42.770{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:42.770{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:42.770{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:42.770{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:42.770{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:42.770{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:42.770{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:42.770{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:42.770{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:42.770{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-EB5A-60DD-862A-00000000C701}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:42.770{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EB5A-60DD-862A-00000000C701}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:42.770{B81B27B7-EB5A-60DD-862A-00000000C701}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:42.535{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF18B807B17E421DA5D86C929773CDE1,SHA256=97141B24BE1CDFF633E0ACFC5854BFDD0A6A7DAE1469FBEE7C74575ED6B4F803,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007997671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:43.547{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6B113EAE532EF08D1165E767EF89858,SHA256=0F9E0BACE02919483C0AB7C63CEDF91156F711418870D768D4A3BBFBBF540DE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007997670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:43.547{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=48834ABEB485DB7BB1CD7816A10957A9,SHA256=1529E3A36EC42714D7C9FC201A8B63E9324BB82863FB8036EA35F588A764DC9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901473Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:43.785{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF2B9B780F16D90FEED353044928EB86,SHA256=4F9CDF039B95AAF2A5D424B58634A029D0BE7E1C732E046FE26D83270BD28807,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901472Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:43.785{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B26388F14C5586881AA10EF6D513647C,SHA256=1E1AA852AE9E5AD9EC3E613C3CE2CFAFFB3B06E9A4D25F588B00BE6CD500FA20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015901471Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:43.582{B81B27B7-EB5B-60DD-872A-00000000C701}59644800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015901470Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:43.566{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=177E431E6F3DD1002580C162E53BC114,SHA256=287DF40B4764120756A919BAB70ACA0C270261DF87B6B371151FA78059A1AC78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015901469Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:43.441{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EB5B-60DD-872A-00000000C701}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901468Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:43.441{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:43.441{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:43.441{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:43.441{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:43.441{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:43.441{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:43.441{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:43.441{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:43.441{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:43.441{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-EB5B-60DD-872A-00000000C701}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:43.441{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EB5B-60DD-872A-00000000C701}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:43.442{B81B27B7-EB5B-60DD-872A-00000000C701}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007997672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:44.937{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB588E2FCEEE2E652C23CAF7565F0355,SHA256=2CF7EB022CA1378E05B9952E88ED11B24E783D0E28D18DC54219A973B3993212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901487Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:44.723{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9AADDE0B363EB7EA0B107741A3E16D3,SHA256=DD56E20CDDCB517BA20D1A2BA65CF9BB721BDF18FFAC0FEE69D3EE6DFEB7FB78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015901486Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:44.113{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EB5C-60DD-882A-00000000C701}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901485Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:44.113{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901484Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:44.113{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:44.113{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:44.113{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:44.113{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:44.113{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:44.113{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901478Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:44.113{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901477Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:44.113{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901476Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:44.113{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-EB5C-60DD-882A-00000000C701}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901475Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:44.113{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EB5C-60DD-882A-00000000C701}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901474Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:44.114{B81B27B7-EB5C-60DD-882A-00000000C701}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901489Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:45.770{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8CD303791733B1507D59B79634E5B40,SHA256=0262D09389312579895838B2761699F0AEB6D98B61876060428FB726026EAE14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901488Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:45.129{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF2B9B780F16D90FEED353044928EB86,SHA256=4F9CDF039B95AAF2A5D424B58634A029D0BE7E1C732E046FE26D83270BD28807,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007997679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:46.968{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\devinv.dll10.0.19645.1032 (WinBuild.160101.0800)Device Inventory LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinv.dllMD5=8BFD253467CDB3F41ED2A23FE08B361D,SHA256=5A938F1A6D0FF39BE7B5BD88F46988F4CDAA78134E9E22AC02C46EC688819D17,IMPHASH=94EEFF72CC677C4C4124B0B3A85F7825trueMicrosoft WindowsValid 734700x80000000000000007997678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:46.968{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000007997677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:46.968{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\drvstore.dll10.0.14393.2791 (rs1_release.190205-1511)Driver Store APIMicrosoft® Windows® Operating SystemMicrosoft CorporationDRVSTORE.DLLMD5=D0DE1D69FC3F00F65F8D67C31BCC9682,SHA256=F27CEB248FCB3444B850896CB916DACC10BC730E7C2679D2A6C2582CC667F8AD,IMPHASH=AC3F232984E3ABCCF80F1B2A1ACA9991trueMicrosoft WindowsValid 734700x80000000000000007997676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:46.968{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x80000000000000007997675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:46.375{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19018C9BBFEF66E0C356000DA7D9B069,SHA256=9F7F995F73F7A83F02684310DFCE5B508C0C483C75BF04A40D3C15BC39501F77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007997674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:46.375{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=517EDEC20CAC9073CD60048DD63AA0FC,SHA256=24BAC840FB6E4870F8E6145535BFD7E8372AC62A0BA3ECB07B52364C06BC4F23,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007997673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:43.396{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61076-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000015901491Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:44.546{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52102-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901490Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:46.770{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C438F21D8E40733AE30721D8B8011D,SHA256=D7A8709BB9104A4A166CEA261C701CA33F97B1F20A05622DB2F6060339297805,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.750{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0674F9A985C54C4608708AF534DE997,SHA256=BA44365CCD11E879EF0A864B5312D9C9074C2B737380DE8E6BA06B4504CE06FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007998080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.750{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C6BCFB3DEF5AEFDD8F5C52566A7A03D4,SHA256=D28B30075F2942CF8E889EBA203276BB0511B6EB43A62802965F9AC91979D4A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007998079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.750{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6BF89E0F560AD258C9767C4033F7F9A1,SHA256=361D8133BA5D805B264B915BBE76B5739DAAA9A38447088FCB44B5A0A257A80C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007998078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.656{3BF36828-EB5F-60DD-7302-00000000C801}4324248C:\Windows\system32\WerFault.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\system32\wer.dll+37d6c|C:\Windows\system32\wer.dll+382c4|C:\Windows\system32\wer.dll+38c5a|C:\Windows\system32\wer.dll+13c54|C:\Windows\system32\wer.dll+6476|C:\Windows\system32\faultrep.dll+b61e|C:\Windows\system32\faultrep.dll+8864|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.625{3BF36828-EB5F-60DD-7302-00000000C801}4324248C:\Windows\system32\WerFault.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\dbgeng.dll+280c4d|C:\Windows\SYSTEM32\dbgeng.dll+27c807|C:\Windows\SYSTEM32\dbgeng.dll+181398|C:\Windows\SYSTEM32\dbgeng.dll+1818e6|C:\Windows\SYSTEM32\dbgeng.dll+18746d|C:\Windows\SYSTEM32\dbgeng.dll+394cb|C:\Windows\SYSTEM32\dbgeng.dll+3932a|C:\Windows\SYSTEM32\dbgeng.dll+4dadb|C:\Windows\system32\faultrep.dll+110f3|C:\Windows\system32\faultrep.dll+97ee|C:\Windows\system32\faultrep.dll+b375|C:\Windows\system32\faultrep.dll+8864|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.625{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x80000000000000007998075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.625{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007998074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.625{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007998073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.625{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x80000000000000007998072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.625{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\DbgModel.dll10.0.14321.1024 (debuggers(dbg).190305-1856)Windows Debugger Data ModelMicrosoft® Windows® Operating SystemMicrosoftDbgModel.DllMD5=5C0CB6EEB206114097FF8AE23623EABC,SHA256=B831287C9EDA9AE16291EEE1B3E3B62C9EC6A3FAFFDD215DC294AEBE7D741460,IMPHASH=582F1BF95ACB46724010A4BAB33FFA2BtrueMicrosoft WindowsValid 734700x80000000000000007998071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.625{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\dbgeng.dll10.0.14321.1024 (rs1_release.190305-1856)Windows Symbolic Debugger EngineMicrosoft® Windows® Operating SystemMicrosoftDbgEng.DllMD5=551A3B8C43F0C5977DC9F0EB118544C0,SHA256=0198852F19BAF5F32CECC8B6A1543D068B3C8DEFA6A71137C951D267D737D9DB,IMPHASH=3C1576CA310AF2169815CAE63D89B47FtrueMicrosoft WindowsValid 734700x80000000000000007998070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.609{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007998069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.609{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x80000000000000007998068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.609{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=5541A4A7FB64063F8AFB192ABD4DAE70,SHA256=AABF2E6C392F29B77F076BF705976B68B3100138BC63060335BD154B8417754D,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x80000000000000007998067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.609{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007998066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.609{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007998065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.609{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007998064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.609{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x80000000000000007998063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.609{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x80000000000000007998062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.609{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x80000000000000007998061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.609{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 734700x80000000000000007998060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.609{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x80000000000000007998059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.609{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\aepic.dll10.0.19645.1032 (WinBuild.160101.0800)Application Experience Program CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationaepic.dllMD5=44537C14A81BC46E513E3284E08201B3,SHA256=05F30E8C2B215A187D2F317137A1DA5B2461BB345B55FA93EB7B0EAA150C1AB5,IMPHASH=01EB9BD88724091CA18150F23E332599trueMicrosoft WindowsValid 10341000x80000000000000007998058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.609{3BF36828-EB5F-60DD-7302-00000000C801}4324248C:\Windows\system32\WerFault.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\system32\faultrep.dll+f0f8|C:\Windows\system32\faultrep.dll+8762|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.609{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007998056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.609{3BF36828-EB5F-60DD-7302-00000000C801}4324248C:\Windows\system32\WerFault.exe{3BF36828-EB5F-60DD-7402-00000000C801}3228C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6614|C:\Windows\SYSTEM32\ntdll.dll+58dbb|C:\Windows\System32\KERNELBASE.dll+b780d|C:\Windows\system32\faultrep.dll+84bb|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.547{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007998054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.562{3BF36828-EB5F-60DD-7302-00000000C801}4324248C:\Windows\system32\WerFault.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\faultrep.dll+80af|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.562{3BF36828-EB5F-60DD-7302-00000000C801}4324248C:\Windows\system32\WerFault.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\WerFault.exe+15a6e|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.562{3BF36828-EB5F-60DD-7302-00000000C801}4324248C:\Windows\system32\WerFault.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\WerFault.exe+1599f|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.562{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007998050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.562{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007998049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.562{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007998048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.562{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007998047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.562{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x80000000000000007998046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.562{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007998045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.562{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\Faultrep.dll10.0.14393.4402 (rs1_release.210426-1725)Windows User Mode Crash Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationfaultrep.dllMD5=6C00350227C90474B506650038D5C833,SHA256=54F0229A11A8087917952453F80C1244B4FCB74BF74518D28DB4333A591BBBF7,IMPHASH=0B5226C9569A08D86C4BC35F49183A6BtrueMicrosoft WindowsValid 734700x80000000000000007998044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.562{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007998043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.562{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x80000000000000007998042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.562{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x80000000000000007998041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.562{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007998040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.562{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=D8CD8451D1E194230F18866AD6EFE5E7,SHA256=9977AA1287962035C24DF806DDA67F09FFE9BDF696DBA507D749C624AE1C178D,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x80000000000000007998039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.562{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007998038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.562{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007998037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.562{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007998036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.562{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\wer.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=65C4FEDB972CDE71C2AF0F5AFA1C1C15,SHA256=63C1A7AC782F15980F47972E5B481C2E80EBCD1A2A497EAE93F469BD266CC638,IMPHASH=64F80A25C9178937C2771969A7448641trueMicrosoft WindowsValid 734700x80000000000000007998035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.547{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x80000000000000007998034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.547{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007998033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.547{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007998032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.547{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007998031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.547{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007998030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.547{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007998029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.547{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007998028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.547{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007998027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.547{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exeC:\Windows\System32\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeMD5=1C7DB4A4F28D9003E4AC027D9F486B7E,SHA256=F4EF776BE91D69CA06E0C67848634C9C764DBA7B47365B643CFFC181B24EA51D,IMPHASH=4D7307CFBDBD0C5F1319B1CF5C054CA6trueMicrosoft WindowsValid 10341000x80000000000000007998026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.547{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.547{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.547{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.547{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.547{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\system32\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007998021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.547{3BF36828-EB54-60DD-6502-00000000C801}38724820C:\Windows\System32\svchost.exe{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\system32\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|c:\windows\system32\faultrep.dll+6abb|c:\windows\system32\faultrep.dll+7121|c:\windows\system32\wersvc.dll+b0bc|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+7794|c:\windows\system32\wersvc.dll+6c93|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007998020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.558{3BF36828-EB5F-60DD-7302-00000000C801}432C:\Windows\System32\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\system32\WerFault.exe -u -p 2024 -s 1816C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=1C7DB4A4F28D9003E4AC027D9F486B7E,SHA256=F4EF776BE91D69CA06E0C67848634C9C764DBA7B47365B643CFFC181B24EA51D,IMPHASH=4D7307CFBDBD0C5F1319B1CF5C054CA6{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe 10341000x80000000000000007998019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.547{3BF36828-EB54-60DD-6502-00000000C801}38724820C:\Windows\System32\svchost.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+b039|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+7794|c:\windows\system32\wersvc.dll+6c93|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.547{3BF36828-EB54-60DD-6502-00000000C801}38724820C:\Windows\System32\svchost.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ae29|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+7794|c:\windows\system32\wersvc.dll+6c93|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.547{3BF36828-EB54-60DD-6502-00000000C801}38724820C:\Windows\System32\svchost.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x50C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+8a50|c:\windows\system32\wersvc.dll+86ec|c:\windows\system32\wersvc.dll+7794|c:\windows\system32\wersvc.dll+6c93|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.547{3BF36828-EB54-60DD-6502-00000000C801}38724820C:\Windows\System32\svchost.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1441C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+7050|c:\windows\system32\wersvc.dll+6c93|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.375{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeC:\Windows\System32\DDORes.dll10.0.14393.0 (rs1_release.160715-1616)Device Category information and resourcesMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceCategories.dllMD5=4D558BCF2062138ADC52D6A9297A9732,SHA256=D03BD3F1B5664492E360851297C0347B1E6973C157343E2B144B343C0FABB14C,IMPHASH=4ADE000E26811AE05A20CE8C732A4112trueMicrosoft WindowsValid 10341000x80000000000000007998014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.531{3BF36828-EB5F-60DD-7102-00000000C801}42285048C:\Windows\system32\WerFault.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\system32\wer.dll+37d6c|C:\Windows\system32\wer.dll+382c4|C:\Windows\system32\wer.dll+38c5a|C:\Windows\system32\wer.dll+13c54|C:\Windows\system32\wer.dll+6476|C:\Windows\system32\faultrep.dll+b61e|C:\Windows\system32\faultrep.dll+8864|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.515{3BF36828-EB5F-60DD-6F02-00000000C801}48564992C:\Windows\system32\WerFault.exe{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\system32\wer.dll+37d6c|C:\Windows\system32\wer.dll+382c4|C:\Windows\system32\wer.dll+38c5a|C:\Windows\system32\wer.dll+13c54|C:\Windows\system32\wer.dll+6476|C:\Windows\system32\faultrep.dll+b61e|C:\Windows\system32\faultrep.dll+8864|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.500{3BF36828-EB5F-60DD-6F02-00000000C801}48564992C:\Windows\system32\WerFault.exe{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\dbgeng.dll+280c4d|C:\Windows\SYSTEM32\dbgeng.dll+27c807|C:\Windows\SYSTEM32\dbgeng.dll+181398|C:\Windows\SYSTEM32\dbgeng.dll+1818e6|C:\Windows\SYSTEM32\dbgeng.dll+18746d|C:\Windows\SYSTEM32\dbgeng.dll+394cb|C:\Windows\SYSTEM32\dbgeng.dll+3932a|C:\Windows\SYSTEM32\dbgeng.dll+4dadb|C:\Windows\system32\faultrep.dll+110f3|C:\Windows\system32\faultrep.dll+97ee|C:\Windows\system32\faultrep.dll+b375|C:\Windows\system32\faultrep.dll+8864|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.500{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x80000000000000007998010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.500{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007998009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.500{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 10341000x80000000000000007998008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.500{3BF36828-EB5F-60DD-7102-00000000C801}42285048C:\Windows\system32\WerFault.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\dbgeng.dll+280c4d|C:\Windows\SYSTEM32\dbgeng.dll+27c807|C:\Windows\SYSTEM32\dbgeng.dll+181398|C:\Windows\SYSTEM32\dbgeng.dll+1818e6|C:\Windows\SYSTEM32\dbgeng.dll+18746d|C:\Windows\SYSTEM32\dbgeng.dll+394cb|C:\Windows\SYSTEM32\dbgeng.dll+3932a|C:\Windows\SYSTEM32\dbgeng.dll+4dadb|C:\Windows\system32\faultrep.dll+110f3|C:\Windows\system32\faultrep.dll+97ee|C:\Windows\system32\faultrep.dll+b375|C:\Windows\system32\faultrep.dll+8864|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.500{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\DbgModel.dll10.0.14321.1024 (debuggers(dbg).190305-1856)Windows Debugger Data ModelMicrosoft® Windows® Operating SystemMicrosoftDbgModel.DllMD5=5C0CB6EEB206114097FF8AE23623EABC,SHA256=B831287C9EDA9AE16291EEE1B3E3B62C9EC6A3FAFFDD215DC294AEBE7D741460,IMPHASH=582F1BF95ACB46724010A4BAB33FFA2BtrueMicrosoft WindowsValid 734700x80000000000000007998006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.500{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x80000000000000007998005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.500{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\dbgeng.dll10.0.14321.1024 (rs1_release.190305-1856)Windows Symbolic Debugger EngineMicrosoft® Windows® Operating SystemMicrosoftDbgEng.DllMD5=551A3B8C43F0C5977DC9F0EB118544C0,SHA256=0198852F19BAF5F32CECC8B6A1543D068B3C8DEFA6A71137C951D267D737D9DB,IMPHASH=3C1576CA310AF2169815CAE63D89B47FtrueMicrosoft WindowsValid 734700x80000000000000007998004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.500{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x80000000000000007998003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.500{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007998002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.500{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007998001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.500{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\DbgModel.dll10.0.14321.1024 (debuggers(dbg).190305-1856)Windows Debugger Data ModelMicrosoft® Windows® Operating SystemMicrosoftDbgModel.DllMD5=5C0CB6EEB206114097FF8AE23623EABC,SHA256=B831287C9EDA9AE16291EEE1B3E3B62C9EC6A3FAFFDD215DC294AEBE7D741460,IMPHASH=582F1BF95ACB46724010A4BAB33FFA2BtrueMicrosoft WindowsValid 734700x80000000000000007998000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.500{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x80000000000000007997999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.500{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\dbgeng.dll10.0.14321.1024 (rs1_release.190305-1856)Windows Symbolic Debugger EngineMicrosoft® Windows® Operating SystemMicrosoftDbgEng.DllMD5=551A3B8C43F0C5977DC9F0EB118544C0,SHA256=0198852F19BAF5F32CECC8B6A1543D068B3C8DEFA6A71137C951D267D737D9DB,IMPHASH=3C1576CA310AF2169815CAE63D89B47FtrueMicrosoft WindowsValid 734700x80000000000000007997998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.500{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28,IMPHASH=A90D5BC867A86FBF8F4557CE6F216093trueMicrosoft WindowsValid 734700x80000000000000007997997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.484{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x80000000000000007997996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.484{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=5541A4A7FB64063F8AFB192ABD4DAE70,SHA256=AABF2E6C392F29B77F076BF705976B68B3100138BC63060335BD154B8417754D,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x80000000000000007997995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.484{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007997994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.484{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007997993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.484{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007997992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.484{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x80000000000000007997991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.484{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x80000000000000007997990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.484{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x80000000000000007997989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.484{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 734700x80000000000000007997988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.484{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007997987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.484{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x80000000000000007997986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.484{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\aepic.dll10.0.19645.1032 (WinBuild.160101.0800)Application Experience Program CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationaepic.dllMD5=44537C14A81BC46E513E3284E08201B3,SHA256=05F30E8C2B215A187D2F317137A1DA5B2461BB345B55FA93EB7B0EAA150C1AB5,IMPHASH=01EB9BD88724091CA18150F23E332599trueMicrosoft WindowsValid 734700x80000000000000007997985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.484{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 10341000x80000000000000007997984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.484{3BF36828-EB5F-60DD-6F02-00000000C801}48564992C:\Windows\system32\WerFault.exe{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\system32\faultrep.dll+f0f8|C:\Windows\system32\faultrep.dll+8762|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.484{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007997982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.484{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=5541A4A7FB64063F8AFB192ABD4DAE70,SHA256=AABF2E6C392F29B77F076BF705976B68B3100138BC63060335BD154B8417754D,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 10341000x80000000000000007997981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.484{3BF36828-EB5F-60DD-6F02-00000000C801}48564992C:\Windows\system32\WerFault.exe{3BF36828-EB5F-60DD-7202-00000000C801}3420C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6614|C:\Windows\SYSTEM32\ntdll.dll+58dbb|C:\Windows\System32\KERNELBASE.dll+b780d|C:\Windows\system32\faultrep.dll+84bb|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.484{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007997979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.484{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007997978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.484{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007997977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.484{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x80000000000000007997976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.484{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x80000000000000007997975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.484{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x80000000000000007997974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.484{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 734700x80000000000000007997973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.484{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007997972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.484{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x80000000000000007997971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.484{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\aepic.dll10.0.19645.1032 (WinBuild.160101.0800)Application Experience Program CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationaepic.dllMD5=44537C14A81BC46E513E3284E08201B3,SHA256=05F30E8C2B215A187D2F317137A1DA5B2461BB345B55FA93EB7B0EAA150C1AB5,IMPHASH=01EB9BD88724091CA18150F23E332599trueMicrosoft WindowsValid 10341000x80000000000000007997970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB5F-60DD-7102-00000000C801}42285048C:\Windows\system32\WerFault.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\system32\faultrep.dll+f0f8|C:\Windows\system32\faultrep.dll+8762|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007997968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB5F-60DD-7102-00000000C801}42285048C:\Windows\system32\WerFault.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\faultrep.dll+80af|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB5F-60DD-7102-00000000C801}42285048C:\Windows\system32\WerFault.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\WerFault.exe+15a6e|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB5F-60DD-7102-00000000C801}42285048C:\Windows\system32\WerFault.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\WerFault.exe+1599f|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007997964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007997963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007997962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007997961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x80000000000000007997960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007997959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\Faultrep.dll10.0.14393.4402 (rs1_release.210426-1725)Windows User Mode Crash Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationfaultrep.dllMD5=6C00350227C90474B506650038D5C833,SHA256=54F0229A11A8087917952453F80C1244B4FCB74BF74518D28DB4333A591BBBF7,IMPHASH=0B5226C9569A08D86C4BC35F49183A6BtrueMicrosoft WindowsValid 734700x80000000000000007997958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007997957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x80000000000000007997956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x80000000000000007997955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007997954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=D8CD8451D1E194230F18866AD6EFE5E7,SHA256=9977AA1287962035C24DF806DDA67F09FFE9BDF696DBA507D749C624AE1C178D,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x80000000000000007997953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007997952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007997951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007997950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\wer.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=65C4FEDB972CDE71C2AF0F5AFA1C1C15,SHA256=63C1A7AC782F15980F47972E5B481C2E80EBCD1A2A497EAE93F469BD266CC638,IMPHASH=64F80A25C9178937C2771969A7448641trueMicrosoft WindowsValid 734700x80000000000000007997949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x80000000000000007997948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007997947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007997946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007997945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007997944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007997943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007997942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007997941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007997940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exeC:\Windows\System32\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeMD5=1C7DB4A4F28D9003E4AC027D9F486B7E,SHA256=F4EF776BE91D69CA06E0C67848634C9C764DBA7B47365B643CFFC181B24EA51D,IMPHASH=4D7307CFBDBD0C5F1319B1CF5C054CA6trueMicrosoft WindowsValid 10341000x80000000000000007997938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\system32\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007997934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.468{3BF36828-EB54-60DD-6502-00000000C801}38724892C:\Windows\System32\svchost.exe{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\system32\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|c:\windows\system32\faultrep.dll+6abb|c:\windows\system32\faultrep.dll+7121|c:\windows\system32\wersvc.dll+b0bc|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007997933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.469{3BF36828-EB5F-60DD-7102-00000000C801}4228C:\Windows\System32\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\system32\WerFault.exe -u -p 2024 -s 856C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=1C7DB4A4F28D9003E4AC027D9F486B7E,SHA256=F4EF776BE91D69CA06E0C67848634C9C764DBA7B47365B643CFFC181B24EA51D,IMPHASH=4D7307CFBDBD0C5F1319B1CF5C054CA6{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe 10341000x80000000000000007997932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB5F-60DD-6F02-00000000C801}48564992C:\Windows\system32\WerFault.exe{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\faultrep.dll+80af|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB5F-60DD-6F02-00000000C801}48564992C:\Windows\system32\WerFault.exe{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\WerFault.exe+15a6e|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB5F-60DD-6F02-00000000C801}48564992C:\Windows\system32\WerFault.exe{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\WerFault.exe+1599f|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB54-60DD-6502-00000000C801}38724892C:\Windows\System32\svchost.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+b039|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB54-60DD-6502-00000000C801}38724892C:\Windows\System32\svchost.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ae29|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB54-60DD-6502-00000000C801}38724892C:\Windows\System32\svchost.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x50C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+8a50|c:\windows\system32\wersvc.dll+86ec|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB59-60DD-6B02-00000000C801}2024676C:\Windows\System32\spoolsv.exe{3BF36828-EB5F-60DD-7002-00000000C801}3616C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6614|C:\Windows\SYSTEM32\ntdll.dll+58dbb|C:\Windows\SYSTEM32\ntdll.dll+696b|C:\Windows\SYSTEM32\ntdll.dll+75bf|C:\Windows\SYSTEM32\ntdll.dll+6787|C:\Windows\SYSTEM32\ntdll.dll+ae746|C:\Windows\SYSTEM32\ntdll.dll+96776|C:\Windows\SYSTEM32\ntdll.dll+aa70d|C:\Windows\SYSTEM32\ntdll.dll+349c3|C:\Windows\SYSTEM32\ntdll.dll+366d9|C:\Windows\SYSTEM32\ntdll.dll+bfbd1|C:\Windows\SYSTEM32\ntdll.dll+52385|C:\Windows\system32\spool\DRIVERS\x64\3\evil.dll+1194|C:\Windows\system32\spool\DRIVERS\x64\3\evil.dll+11d8|C:\Windows\SYSTEM32\ntdll.dll+1859f|C:\Windows\SYSTEM32\ntdll.dll+71d1e|C:\Windows\SYSTEM32\ntdll.dll+71b6b|C:\Windows\SYSTEM32\ntdll.dll+2d7dd|C:\Windows\SYSTEM32\ntdll.dll+18b4d|C:\Windows\SYSTEM32\ntdll.dll+1512d|C:\Windows\SYSTEM32\ntdll.dll+11c4c|C:\Windows\System32\KERNELBASE.dll+25b2f|C:\Windows\system32\winspool.drv+52cd|C:\Windows\system32\winspool.drv+6a93 734700x80000000000000007997925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007997924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007997923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007997922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007997921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x80000000000000007997920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007997919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007997918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\Faultrep.dll10.0.14393.4402 (rs1_release.210426-1725)Windows User Mode Crash Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationfaultrep.dllMD5=6C00350227C90474B506650038D5C833,SHA256=54F0229A11A8087917952453F80C1244B4FCB74BF74518D28DB4333A591BBBF7,IMPHASH=0B5226C9569A08D86C4BC35F49183A6BtrueMicrosoft WindowsValid 734700x80000000000000007997917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x80000000000000007997916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x80000000000000007997915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007997914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=D8CD8451D1E194230F18866AD6EFE5E7,SHA256=9977AA1287962035C24DF806DDA67F09FFE9BDF696DBA507D749C624AE1C178D,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x80000000000000007997913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007997912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007997911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007997910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\wer.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=65C4FEDB972CDE71C2AF0F5AFA1C1C15,SHA256=63C1A7AC782F15980F47972E5B481C2E80EBCD1A2A497EAE93F469BD266CC638,IMPHASH=64F80A25C9178937C2771969A7448641trueMicrosoft WindowsValid 734700x80000000000000007997909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x80000000000000007997908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007997907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007997906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007997905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007997904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007997903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007997902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007997901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007997898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exeC:\Windows\System32\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeMD5=1C7DB4A4F28D9003E4AC027D9F486B7E,SHA256=F4EF776BE91D69CA06E0C67848634C9C764DBA7B47365B643CFFC181B24EA51D,IMPHASH=4D7307CFBDBD0C5F1319B1CF5C054CA6trueMicrosoft WindowsValid 10341000x80000000000000007997897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.453{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.437{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\system32\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007997894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.437{3BF36828-EB54-60DD-6502-00000000C801}38724820C:\Windows\System32\svchost.exe{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\system32\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|c:\windows\system32\faultrep.dll+6abb|c:\windows\system32\faultrep.dll+7121|c:\windows\system32\wersvc.dll+b0bc|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+7794|c:\windows\system32\wersvc.dll+6c93|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007997893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.452{3BF36828-EB5F-60DD-6F02-00000000C801}4856C:\Windows\System32\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\system32\WerFault.exe -u -p 220 -s 1368C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=1C7DB4A4F28D9003E4AC027D9F486B7E,SHA256=F4EF776BE91D69CA06E0C67848634C9C764DBA7B47365B643CFFC181B24EA51D,IMPHASH=4D7307CFBDBD0C5F1319B1CF5C054CA6{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exerundll32.exe 10341000x80000000000000007997892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.437{3BF36828-EB54-60DD-6502-00000000C801}38724820C:\Windows\System32\svchost.exe{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+b039|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+7794|c:\windows\system32\wersvc.dll+6c93|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.437{3BF36828-EB54-60DD-6502-00000000C801}38724820C:\Windows\System32\svchost.exe{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ae29|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+7794|c:\windows\system32\wersvc.dll+6c93|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.437{3BF36828-EB54-60DD-6502-00000000C801}38724820C:\Windows\System32\svchost.exe{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exe0x50C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+8a50|c:\windows\system32\wersvc.dll+86ec|c:\windows\system32\wersvc.dll+7794|c:\windows\system32\wersvc.dll+6c93|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.437{3BF36828-EB54-60DD-6502-00000000C801}38724820C:\Windows\System32\svchost.exe{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exe0x1441C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+7050|c:\windows\system32\wersvc.dll+6c93|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.406{3BF36828-EB5F-60DD-6E02-00000000C801}39804420C:\Windows\system32\WerFault.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\system32\wer.dll+37d6c|C:\Windows\system32\wer.dll+382c4|C:\Windows\system32\wer.dll+38c5a|C:\Windows\system32\wer.dll+13c54|C:\Windows\system32\wer.dll+6476|C:\Windows\system32\faultrep.dll+b61e|C:\Windows\system32\faultrep.dll+8864|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.375{3BF36828-EB5F-60DD-6E02-00000000C801}39804420C:\Windows\system32\WerFault.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\dbgeng.dll+280c4d|C:\Windows\SYSTEM32\dbgeng.dll+27c807|C:\Windows\SYSTEM32\dbgeng.dll+181398|C:\Windows\SYSTEM32\dbgeng.dll+1818e6|C:\Windows\SYSTEM32\dbgeng.dll+18746d|C:\Windows\SYSTEM32\dbgeng.dll+394cb|C:\Windows\SYSTEM32\dbgeng.dll+3932a|C:\Windows\SYSTEM32\dbgeng.dll+4dadb|C:\Windows\system32\faultrep.dll+110f3|C:\Windows\system32\faultrep.dll+97ee|C:\Windows\system32\faultrep.dll+b375|C:\Windows\system32\faultrep.dll+8864|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.375{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x80000000000000007997885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.375{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007997884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.375{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007997883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.375{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\DbgModel.dll10.0.14321.1024 (debuggers(dbg).190305-1856)Windows Debugger Data ModelMicrosoft® Windows® Operating SystemMicrosoftDbgModel.DllMD5=5C0CB6EEB206114097FF8AE23623EABC,SHA256=B831287C9EDA9AE16291EEE1B3E3B62C9EC6A3FAFFDD215DC294AEBE7D741460,IMPHASH=582F1BF95ACB46724010A4BAB33FFA2BtrueMicrosoft WindowsValid 734700x80000000000000007997882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.375{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x80000000000000007997881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.375{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\dbgeng.dll10.0.14321.1024 (rs1_release.190305-1856)Windows Symbolic Debugger EngineMicrosoft® Windows® Operating SystemMicrosoftDbgEng.DllMD5=551A3B8C43F0C5977DC9F0EB118544C0,SHA256=0198852F19BAF5F32CECC8B6A1543D068B3C8DEFA6A71137C951D267D737D9DB,IMPHASH=3C1576CA310AF2169815CAE63D89B47FtrueMicrosoft WindowsValid 734700x80000000000000007997880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.359{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x80000000000000007997879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.359{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=5541A4A7FB64063F8AFB192ABD4DAE70,SHA256=AABF2E6C392F29B77F076BF705976B68B3100138BC63060335BD154B8417754D,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x80000000000000007997878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.343{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007997877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.343{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007997876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.343{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007997875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.343{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x80000000000000007997874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.343{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x80000000000000007997873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.343{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x80000000000000007997872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.343{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 734700x80000000000000007997871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.343{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007997870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.343{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x80000000000000007997869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.343{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\aepic.dll10.0.19645.1032 (WinBuild.160101.0800)Application Experience Program CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationaepic.dllMD5=44537C14A81BC46E513E3284E08201B3,SHA256=05F30E8C2B215A187D2F317137A1DA5B2461BB345B55FA93EB7B0EAA150C1AB5,IMPHASH=01EB9BD88724091CA18150F23E332599trueMicrosoft WindowsValid 10341000x80000000000000007997868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.343{3BF36828-EB5F-60DD-6E02-00000000C801}39804420C:\Windows\system32\WerFault.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\system32\faultrep.dll+f0f8|C:\Windows\system32\faultrep.dll+8762|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.343{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007997866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.343{3BF36828-EB5F-60DD-6E02-00000000C801}39804420C:\Windows\system32\WerFault.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\faultrep.dll+80af|C:\Windows\system32\faultrep.dll+720c|C:\Windows\system32\WerFault.exe+15abe|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.343{3BF36828-EB5F-60DD-6E02-00000000C801}39804420C:\Windows\system32\WerFault.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\WerFault.exe+15a6e|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.343{3BF36828-EB5F-60DD-6E02-00000000C801}39804420C:\Windows\system32\WerFault.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\WerFault.exe+1599f|C:\Windows\system32\WerFault.exe+13e8|C:\Windows\system32\WerFault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.343{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007997862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.343{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007997861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.343{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007997860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.343{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007997859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.343{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 734700x80000000000000007997858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.343{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007997857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.343{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007997856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.328{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.3541 (rs1_release_inmarket.200218-2047)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=E1BDF589E27B64D6637852872F4BA1D0,SHA256=C79B6A4AD264169C5B6F177083FD17C26832CD6A838DB697C7BC3C533A162733,IMPHASH=239D379DAEC05CA48775D7DD3AA4BFCAtrueMicrosoft WindowsValid 734700x80000000000000007997855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.328{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\Faultrep.dll10.0.14393.4402 (rs1_release.210426-1725)Windows User Mode Crash Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationfaultrep.dllMD5=6C00350227C90474B506650038D5C833,SHA256=54F0229A11A8087917952453F80C1244B4FCB74BF74518D28DB4333A591BBBF7,IMPHASH=0B5226C9569A08D86C4BC35F49183A6BtrueMicrosoft WindowsValid 734700x80000000000000007997854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.328{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007997853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.328{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\gpapi.dll10.0.14393.3986 (rs1_release.201002-1707)Group Policy Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationgpapi.dllMD5=601EDCF334B3DA561BE85560BFAB4831,SHA256=69422D4F7B2E9673178761052D25718F2F1F1D7D5B0962798ECAC66C123FB207,IMPHASH=54A7A105E11720BE50C587CF0CFA8828trueMicrosoft WindowsValid 734700x80000000000000007997852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.328{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x80000000000000007997851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.328{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x80000000000000007997850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=D8CD8451D1E194230F18866AD6EFE5E7,SHA256=9977AA1287962035C24DF806DDA67F09FFE9BDF696DBA507D749C624AE1C178D,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x80000000000000007997849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007997848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007997847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007997846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\wer.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=65C4FEDB972CDE71C2AF0F5AFA1C1C15,SHA256=63C1A7AC782F15980F47972E5B481C2E80EBCD1A2A497EAE93F469BD266CC638,IMPHASH=64F80A25C9178937C2771969A7448641trueMicrosoft WindowsValid 734700x80000000000000007997845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x80000000000000007997844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.265{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\wininet.dll11.00.14393.4402 (rs1_release.210426-1725)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=27D3D531D0EA9B3EE7F54C4DE5A15946,SHA256=05254BA3332E887C9F97D42406A7C2CEE4DF405ECAF39391968FD472CC4F1F89,IMPHASH=B3ABC7D59C2B1ACAEECA63C53B0AAC4BtrueMicrosoft WindowsValid 734700x80000000000000007997843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007997842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007997841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007997840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007997839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007997838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007997837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x80000000000000007997836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007997834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007997832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exeC:\Windows\System32\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeMD5=1C7DB4A4F28D9003E4AC027D9F486B7E,SHA256=F4EF776BE91D69CA06E0C67848634C9C764DBA7B47365B643CFFC181B24EA51D,IMPHASH=4D7307CFBDBD0C5F1319B1CF5C054CA6trueMicrosoft WindowsValid 10341000x80000000000000007997831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 10341000x80000000000000007997828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\system32\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007997827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB54-60DD-6502-00000000C801}38724820C:\Windows\System32\svchost.exe{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\system32\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|c:\windows\system32\faultrep.dll+6abb|c:\windows\system32\faultrep.dll+7121|c:\windows\system32\wersvc.dll+b0bc|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007997826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.321{3BF36828-EB5F-60DD-6E02-00000000C801}3980C:\Windows\System32\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\system32\WerFault.exe -u -p 2024 -s 1772C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=1C7DB4A4F28D9003E4AC027D9F486B7E,SHA256=F4EF776BE91D69CA06E0C67848634C9C764DBA7B47365B643CFFC181B24EA51D,IMPHASH=4D7307CFBDBD0C5F1319B1CF5C054CA6{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe 734700x80000000000000007997825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007997824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=D8CD8451D1E194230F18866AD6EFE5E7,SHA256=9977AA1287962035C24DF806DDA67F09FFE9BDF696DBA507D749C624AE1C178D,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x80000000000000007997823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30E,IMPHASH=8F811B713271A0FEFA798FB95D523A8BtrueMicrosoft WindowsValid 734700x80000000000000007997822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843,IMPHASH=EAA4328F5E33714FA08C71E4AAE43CC1trueMicrosoft WindowsValid 10341000x80000000000000007997821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB54-60DD-6502-00000000C801}38724820C:\Windows\System32\svchost.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+b039|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB54-60DD-6502-00000000C801}38724820C:\Windows\System32\svchost.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ae29|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4,IMPHASH=B6A1A16A2B5E910045E998CD7709E966trueMicrosoft WindowsValid 734700x80000000000000007997818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 10341000x80000000000000007997817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB54-60DD-6502-00000000C801}38724820C:\Windows\System32\svchost.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x50C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+8a50|c:\windows\system32\wersvc.dll+86ec|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4,IMPHASH=D74AB287506D6E20949755E75302AD32trueMicrosoft WindowsValid 10341000x80000000000000007997815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB59-60DD-6B02-00000000C801}2024676C:\Windows\System32\spoolsv.exe{3BF36828-EB5F-60DD-6D02-00000000C801}4768C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6614|C:\Windows\SYSTEM32\ntdll.dll+58dbb|C:\Windows\SYSTEM32\ntdll.dll+696b|C:\Windows\SYSTEM32\ntdll.dll+75bf|C:\Windows\SYSTEM32\ntdll.dll+6787|C:\Windows\SYSTEM32\ntdll.dll+fe33a|C:\Windows\SYSTEM32\ntdll.dll+ae01b|C:\Windows\SYSTEM32\ntdll.dll+96776|C:\Windows\SYSTEM32\ntdll.dll+a57e2|C:\Windows\SYSTEM32\ntdll.dll+aa70d|C:\Windows\SYSTEM32\ntdll.dll+349c3|C:\Windows\SYSTEM32\ntdll.dll+366d9|C:\Windows\SYSTEM32\ntdll.dll+bfbd1|C:\Windows\SYSTEM32\ntdll.dll+52385|C:\Windows\system32\spool\DRIVERS\x64\3\evil.dll+1194|C:\Windows\system32\spool\DRIVERS\x64\3\evil.dll+11d8|C:\Windows\SYSTEM32\ntdll.dll+1859f|C:\Windows\SYSTEM32\ntdll.dll+71d1e|C:\Windows\SYSTEM32\ntdll.dll+71b6b|C:\Windows\SYSTEM32\ntdll.dll+2d7dd|C:\Windows\SYSTEM32\ntdll.dll+18b4d|C:\Windows\SYSTEM32\ntdll.dll+1512d|C:\Windows\SYSTEM32\ntdll.dll+11c4c|C:\Windows\System32\KERNELBASE.dll+25b2f 734700x80000000000000007997814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x80000000000000007997813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x80000000000000007997812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.312{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4,IMPHASH=D9603397C5B04530FFA0321E70FF2308trueMicrosoft WindowsValid 734700x80000000000000007997811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.297{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\urlmon.dll11.00.14393.4402 (rs1_release.210426-1725)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=3562767F9C1D8359A735D4F64A9733F5,SHA256=7E60D82C417779D316000AD376BE9BA2CD14728616F35289E34E47CC6839620B,IMPHASH=198DE5B70ABFFE7B73AD088D655B26D1trueMicrosoft WindowsValid 734700x80000000000000007997810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.281{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007997809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.281{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007997808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.281{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1,IMPHASH=77951C1B66390D48C5FC7B47D7C8668AtrueMicrosoft WindowsValid 734700x80000000000000007997807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.281{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 734700x80000000000000007997806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.281{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\winhttp.dll10.0.14393.4169 (rs1_release.210107-1130)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=24995B62FFC2519B34A2145673BD275F,SHA256=BB7D4DE1BE6111462F65F999A8969DA04113F15A80D534A93D3CCC76A9FE1F22,IMPHASH=F1FC6BF3699C289EBAF914A7771E49CDtrueMicrosoft WindowsValid 734700x80000000000000007997805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.281{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007997804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.281{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355,IMPHASH=FE994282C73F9AB11AC9B6E37AC26B47trueMicrosoft WindowsValid 734700x80000000000000007997803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.281{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007997802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.281{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007997801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.281{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007997800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.281{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007997799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.281{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007997798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.281{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x80000000000000007997797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.281{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x80000000000000007997796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.281{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x80000000000000007997795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.265{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007997794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.265{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007997793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.265{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007997792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.265{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007997791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.265{3BF36828-DD0B-60DD-0B00-00000000C801}6521204C:\Windows\system32\lsass.exe{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.265{3BF36828-DD0B-60DD-0B00-00000000C801}6521204C:\Windows\system32\lsass.exe{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.265{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007997788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.265{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007997787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.265{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007997786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.265{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=5541A4A7FB64063F8AFB192ABD4DAE70,SHA256=AABF2E6C392F29B77F076BF705976B68B3100138BC63060335BD154B8417754D,IMPHASH=BB80FB0B79AB68B9AA174726B09C8CE9trueMicrosoft WindowsValid 734700x80000000000000007997785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.265{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\imagehlp.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT Image HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationIMAGEHLP.DLLMD5=E1C665DC0FD5A7423B0C0F5325A1027F,SHA256=8B84BE9335EF640ABAA8E8BBA45C6BC77F2251359D4BCC157235CB4BC107AE69,IMPHASH=C88C4D131D277C03F0879B4E0D5679DBtrueMicrosoft WindowsValid 10341000x80000000000000007997784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.265{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.265{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.265{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 10341000x80000000000000007997781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.265{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.265{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.265{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007997778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.265{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007997777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.265{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007997776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.265{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007997775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.265{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007997774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.265{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007997773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.265{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007997772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.265{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007997771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.265{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6CtrueMicrosoft WindowsValid 10341000x80000000000000007997770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.265{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007997769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.265{3BF36828-EB59-60DD-6B02-00000000C801}2024676C:\Windows\System32\spoolsv.exe{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+5fc62|C:\Windows\System32\KERNELBASE.dll+5f7f6|C:\Windows\System32\KERNEL32.DLL+1bcc3|C:\Windows\system32\spool\DRIVERS\x64\3\evil.dll+10d9|C:\Windows\system32\spool\DRIVERS\x64\3\evil.dll+11d8|C:\Windows\SYSTEM32\ntdll.dll+1859f|C:\Windows\SYSTEM32\ntdll.dll+71d1e|C:\Windows\SYSTEM32\ntdll.dll+71b6b|C:\Windows\SYSTEM32\ntdll.dll+2d7dd|C:\Windows\SYSTEM32\ntdll.dll+18b4d|C:\Windows\SYSTEM32\ntdll.dll+1512d|C:\Windows\SYSTEM32\ntdll.dll+11c4c|C:\Windows\System32\KERNELBASE.dll+25b2f|C:\Windows\system32\winspool.drv+52cd|C:\Windows\system32\winspool.drv+6a93|C:\Windows\System32\PrintIsolationProxy.dll+605b|C:\Windows\System32\PrintIsolationProxy.dll+5234|C:\Windows\System32\localspl.dll+2c947|C:\Windows\System32\localspl.dll+2e4f2|C:\Windows\System32\localspl.dll+3f930|C:\Windows\System32\localspl.dll+3f588|C:\Windows\System32\localspl.dll+366f6 154100x80000000000000007997768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.270{3BF36828-EB5F-60DD-6C02-00000000C801}220C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXErundll32.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe 734700x80000000000000007997767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.265{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\evil.dll-----MD5=2E095DF3D3FC82B6171F548DA0699833,SHA256=4033B2A0206F4B4E915CFB0912954F6C169D2D3545090AA72AEBF6910596F0B8,IMPHASH=22647E5B96F2DE81D003F25D98D7D2DCfalse-Unavailable 13241300x80000000000000007997766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localInvDB-DriverVerSetValue2021-07-01 16:20:47.265{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeHKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\1234\DriverVersion0.0.0.0 11241100x80000000000000007997765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localDLL2021-07-01 16:20:47.250{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\New\evil.dll2021-07-01 16:11:19.000 23542300x80000000000000007997764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.250{3BF36828-EB59-60DD-6B02-00000000C801}2024NT AUTHORITY\SYSTEMC:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\New\evil.dllMD5=2E095DF3D3FC82B6171F548DA0699833,SHA256=4033B2A0206F4B4E915CFB0912954F6C169D2D3545090AA72AEBF6910596F0B8,IMPHASH=22647E5B96F2DE81D003F25D98D7D2DCfalsetrue 11241100x80000000000000007997763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localDLL2021-07-01 16:20:47.234{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\New\evil.dll2021-07-01 16:20:47.234 11241100x80000000000000007997762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localDLL2021-07-01 16:20:47.234{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\New\UNIDRV.DLL2021-07-01 16:20:47.234 734700x80000000000000007997761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.234{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\mscms.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Color Matching System DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCMS.DLLMD5=85508B678B5852611B112F61858CFC9B,SHA256=88BEBDCCD2532A4D62C4D5EFE475590513BAA7C90C0885FC68DC4451BD06DF8A,IMPHASH=9C1E7CCABDEA296D63CB0D1AF20AD0E3trueMicrosoft WindowsValid 734700x80000000000000007997760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.234{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\ntprint.dll10.0.14393.4169 (rs1_release.210107-1130)Spooler Setup DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPRINTUI.DLLMD5=FCD56A8D372CFB6470F37F73DB5980E9,SHA256=7D6DBED9D573BC91B7DAEE45132696ACE13CAF76336B91C02E2BEE12512B7CAA,IMPHASH=41A92CD30D93B5E45AC65C66BC12C1F4trueMicrosoft WindowsValid 23542300x80000000000000007997759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.234{3BF36828-EB59-60DD-6B02-00000000C801}2024NT AUTHORITY\SYSTEMC:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\Old\3\UNIDRV.DLLMD5=E436D98FF6EA2DEFCC71561E46718CF8,SHA256=24635AE9BC12B4133CE35EF96CACA51A269ECC320BC1CD9A257417D16959D087,IMPHASH=012DBD89908BD18476361E7B607D0AD9truetrue 23542300x80000000000000007997758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.218{3BF36828-EB59-60DD-6B02-00000000C801}2024NT AUTHORITY\SYSTEMC:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\Old\3\evil.dllMD5=2E095DF3D3FC82B6171F548DA0699833,SHA256=4033B2A0206F4B4E915CFB0912954F6C169D2D3545090AA72AEBF6910596F0B8,IMPHASH=22647E5B96F2DE81D003F25D98D7D2DCtruetrue 23542300x80000000000000007997757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.218{3BF36828-EB59-60DD-6B02-00000000C801}2024NT AUTHORITY\SYSTEMC:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\Old\2\UNIDRV.DLLMD5=E436D98FF6EA2DEFCC71561E46718CF8,SHA256=24635AE9BC12B4133CE35EF96CACA51A269ECC320BC1CD9A257417D16959D087,IMPHASH=012DBD89908BD18476361E7B607D0AD9truetrue 734700x80000000000000007997756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.218{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\UNIDRV.DLL10.0.14393.4046 (rs1_release.201028-1803)Unidrv Printer DriverMicrosoft® Windows® Operating SystemMicrosoft CorporationUNIDRV.DLLMD5=E436D98FF6EA2DEFCC71561E46718CF8,SHA256=24635AE9BC12B4133CE35EF96CACA51A269ECC320BC1CD9A257417D16959D087,IMPHASH=012DBD89908BD18476361E7B607D0AD9trueMicrosoft WindowsValid 10341000x80000000000000007997755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.218{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.218{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\kernelbase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 23542300x80000000000000007997753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.218{3BF36828-EB59-60DD-6B02-00000000C801}2024NT AUTHORITY\SYSTEMC:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\Old\2\kernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9truetrue 13241300x80000000000000007997752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localInvDB-DriverVerSetValue2021-07-01 16:20:47.218{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeHKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\1234\DriverVersion0.0.0.0 734700x80000000000000007997751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.156{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570,IMPHASH=2E790E44628AED89C2CC17E1E4A5CE1CtrueMicrosoft WindowsValid 734700x80000000000000007997750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.156{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\win32spl.dll10.0.14393.4169 (rs1_release.210107-1130)Client Side Rendering Print ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationwin32spl.dllMD5=C000FFE69C767D54449CF711619B8DFB,SHA256=DE547D157D96DCA1BABF226DE46DAD589FFCE02BF090354D1975C6F87FDDD29B,IMPHASH=9C804F220C58F0D8846B32977062AB6DtrueMicrosoft WindowsValid 11241100x80000000000000007997749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localDLL2021-07-01 16:20:47.203{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\New\evil.dll2021-07-01 16:11:19.000 23542300x80000000000000007997748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.187{3BF36828-EB59-60DD-6B02-00000000C801}2024NT AUTHORITY\SYSTEMC:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\Old\2\evil.dllMD5=2E095DF3D3FC82B6171F548DA0699833,SHA256=4033B2A0206F4B4E915CFB0912954F6C169D2D3545090AA72AEBF6910596F0B8,IMPHASH=22647E5B96F2DE81D003F25D98D7D2DCtruetrue 23542300x80000000000000007997747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.187{3BF36828-EB59-60DD-6B02-00000000C801}2024NT AUTHORITY\SYSTEMC:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\Old\1\UNIDRV.DLLMD5=E436D98FF6EA2DEFCC71561E46718CF8,SHA256=24635AE9BC12B4133CE35EF96CACA51A269ECC320BC1CD9A257417D16959D087,IMPHASH=012DBD89908BD18476361E7B607D0AD9truetrue 11241100x80000000000000007997746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localDLL2021-07-01 16:20:47.187{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\New\kernelbase.dll2021-04-14 04:03:54.303 11241100x80000000000000007997745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.localDLL2021-07-01 16:20:47.187{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\New\UNIDRV.DLL2020-11-11 04:43:57.400 734700x80000000000000007997744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.140{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\prtprocs\x64\winprint.dll10.0.14393.4104 (rs1_release.201202-1742)Windows Print Processor DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwinprint.dllMD5=0D14ADC76702690ECF3FBEEB8BD68F2F,SHA256=E1D289EC40D8B5CBABA71A87DD9885CC98FC81D064FD811DAC121D51D0C2C10E,IMPHASH=4A5322FFADCB709210EC79A33718D3F8trueMicrosoft WindowsValid 10341000x80000000000000007997743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.187{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.187{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\spinf.dll10.0.14393.0 (rs1_release.160715-1616)Windows SPINFMicrosoft® Windows® Operating SystemMicrosoft CorporationSPINF.DLLMD5=31EB34EF0BA43F1F106DD1F19A6A489B,SHA256=2A0002ACC6940D293E3E3FE2035C9AA0D639964F752C1C8C11ED867251E8D83C,IMPHASH=68DF7CC0AA1D7C3945224E1F9870BDA7trueMicrosoft WindowsValid 734700x80000000000000007997741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.187{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\devrtl.dll10.0.14393.0 (rs1_release.160715-1616)Device Management Run Time LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationDEVRTL.DLLMD5=103D84E49F517098C0E8E14044BB1F73,SHA256=370BAADCA5D39C94A532D2E80EBA6CA537B47E41038A332412AEE4BBA5F025B9,IMPHASH=5DE6FAFA9C141BF53E629553C4AB42FBtrueMicrosoft WindowsValid 734700x80000000000000007997740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.187{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\mscms.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Color Matching System DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCMS.DLLMD5=85508B678B5852611B112F61858CFC9B,SHA256=88BEBDCCD2532A4D62C4D5EFE475590513BAA7C90C0885FC68DC4451BD06DF8A,IMPHASH=9C1E7CCABDEA296D63CB0D1AF20AD0E3trueMicrosoft WindowsValid 734700x80000000000000007997739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.187{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\ntprint.dll10.0.14393.4169 (rs1_release.210107-1130)Spooler Setup DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPRINTUI.DLLMD5=FCD56A8D372CFB6470F37F73DB5980E9,SHA256=7D6DBED9D573BC91B7DAEE45132696ACE13CAF76336B91C02E2BEE12512B7CAA,IMPHASH=41A92CD30D93B5E45AC65C66BC12C1F4trueMicrosoft WindowsValid 23542300x80000000000000007997738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.187{3BF36828-EB59-60DD-6B02-00000000C801}2024NT AUTHORITY\SYSTEMC:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\Old\1\kernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9truetrue 734700x80000000000000007997737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.140{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\fdPnp.dll10.0.14393.4169 (rs1_release.210107-1130)Pnp Provider DllMicrosoft® Windows® Operating SystemMicrosoft CorporationfdPnp.dllMD5=23D6408C20F4A0047E5F586354492C2F,SHA256=49F69E54AA909ECFD8A463B102BE708B496AD9A1EF73BAD2C10383E234AA75B1,IMPHASH=CE603E72BE35448111FFAD017648951FtrueMicrosoft WindowsValid 10341000x80000000000000007997736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.172{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+58a7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.172{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.172{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.172{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.140{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\fundisc.dll10.0.14393.0 (rs1_release.160715-1616)Function Discovery DllMicrosoft® Windows® Operating SystemMicrosoft CorporationFunDisc.dllMD5=0F54ABD1EAC74FC00BED394DC7F3F682,SHA256=366EB1FCC88FA18EAFA954FBBB967B0E1383929E2FADBB54ED2174E9B07F0998,IMPHASH=DA6C3183FBFC5FF462CA880F87A5C413trueMicrosoft WindowsValid 10341000x80000000000000007997731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.172{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.172{3BF36828-DD0B-60DD-0B00-00000000C801}6521204C:\Windows\system32\lsass.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\kerberos.DLL+61fca|C:\Windows\system32\kerberos.DLL+4d30e|C:\Windows\system32\kerberos.DLL+1ce2|C:\Windows\system32\lsasrv.dll+29641|C:\Windows\system32\lsasrv.dll+290b4|C:\Windows\system32\lsasrv.dll+2a316|C:\Windows\system32\lsasrv.dll+29665|C:\Windows\system32\lsasrv.dll+26321|C:\Windows\SYSTEM32\SspiSrv.dll+16e7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000007997729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.172{3BF36828-DD0B-60DD-0B00-00000000C801}6521204C:\Windows\system32\lsass.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.172{3BF36828-DD0B-60DD-0B00-00000000C801}6521204C:\Windows\system32\lsass.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.125{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\fwbase.dll10.0.14393.0 (rs1_release.160715-1616)Firewall Base DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationfwbase.dllMD5=216C0DC7BEBD19C616A7BCE54F57F70C,SHA256=2305E780D161A736DB237727AC78EC1D2462793FD5013D126621B4BBBB16D743,IMPHASH=4D74FD81A888167F0D448CDA56ED51C9trueMicrosoft WindowsValid 734700x80000000000000007997726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.125{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\webservices.dll10.0.14393.2312 (rs1_release.180607-1919)Windows Web Services RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationWebServices.dllMD5=3EE43755685D59060FAC0E2F09D67686,SHA256=BF80D9B840C28BC4E8FE9A4E6DBCCCAEE37A108F83428ABA1DD780D5312369D8,IMPHASH=21CAA202FAEFBDF78B727F64E8C79245trueMicrosoft WindowsValid 10341000x80000000000000007997725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.172{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+58a7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.172{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007997723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.156{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.156{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 10341000x80000000000000007997721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.156{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007997720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.156{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007997719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.156{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007997718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.125{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\FirewallAPI.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Firewall APIMicrosoft® Windows® Operating SystemMicrosoft CorporationFirewallAPI.DLLMD5=C7DD193AFCCF63B97C559993608EDAF0,SHA256=26E7628E9C65352F730F38D7BF32A845CC1CAEEC034152B1CDE85F9B89D1A6DC,IMPHASH=39BEAE1D9F26D2F49E282C68C8644857trueMicrosoft WindowsValid 734700x80000000000000007997717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.140{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\dsrole.dll10.0.14393.0 (rs1_release.160715-1616)DS Setup Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationDSROLE.DLLMD5=2A319EC8DF0FB5C46CF311B9D2B65B1D,SHA256=62B8900EFDF4B30E54E11232A8DA95DBF066DAEFD364A66EB99ADC028A3798F7,IMPHASH=E4AC0A0BD42B7356347D6A1BE150F6A6trueMicrosoft WindowsValid 734700x80000000000000007997716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.140{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\gpapi.dll10.0.14393.3986 (rs1_release.201002-1707)Group Policy Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationgpapi.dllMD5=601EDCF334B3DA561BE85560BFAB4831,SHA256=69422D4F7B2E9673178761052D25718F2F1F1D7D5B0962798ECAC66C123FB207,IMPHASH=54A7A105E11720BE50C587CF0CFA8828trueMicrosoft WindowsValid 734700x80000000000000007997715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.109{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\WSDApi.dll10.0.14393.4169 (rs1_release.210107-1130)Web Services for Devices API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsdapi.dllMD5=9ED82F0803A7BFDDA1F3923B816B44E0,SHA256=873546DCFF25E8DD3E7B56C1E23BFC6CFF00938245410D07F096C0D7720CD29D,IMPHASH=5F24B36787DB424CE025987AD54CB835trueMicrosoft WindowsValid 734700x80000000000000007997714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.140{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FE,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x80000000000000007997713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.140{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\drvstore.dll10.0.14393.2791 (rs1_release.190205-1511)Driver Store APIMicrosoft® Windows® Operating SystemMicrosoft CorporationDRVSTORE.DLLMD5=D0DE1D69FC3F00F65F8D67C31BCC9682,SHA256=F27CEB248FCB3444B850896CB916DACC10BC730E7C2679D2A6C2582CC667F8AD,IMPHASH=AC3F232984E3ABCCF80F1B2A1ACA9991trueMicrosoft WindowsValid 734700x80000000000000007997712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.140{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\atl.dll3.05.2284ATL Module for Windows XP (Unicode)Microsoft (R) Visual C++Microsoft CorporationATL.DLLMD5=C1B73181019C1E1F28F4161B5F198B7F,SHA256=C3678504437D23910C18D3680B05B4E819A2229BDD0E1E0567186C70D814560D,IMPHASH=5500EF6AAEED0FAA2DE0F3B65E67DE20trueMicrosoft WindowsValid 734700x80000000000000007997711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.140{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x80000000000000007997710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.109{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\deviceassociation.dll10.0.14393.0 (rs1_release.160715-1616)Device Association Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdeviceassociation.dllMD5=68139108F7E1D4327BE76289E14C2159,SHA256=05436A7EE5EE877F3EA6B12604D41EFCE288F093AAEE03A906FB7C9A4A76DFDA,IMPHASH=CA757A840D91610BF593E8A2814EB9B3trueMicrosoft WindowsValid 734700x80000000000000007997709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.125{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\msxml6.dll6.30.14393.4402MSXML 6.0Microsoft XML Core ServicesMicrosoft CorporationMSXML6.dllMD5=B180CFB17D7039CAC46371B8CA857F22,SHA256=C62664A4AA96626864D394EC99F5562DDC59C1CF4DF57AF8E699079F16A85695,IMPHASH=A74F148CA887740D0E045C70ACC762EBtrueMicrosoft WindowsValid 734700x80000000000000007997708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.125{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x80000000000000007997707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.109{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\WSDMon.dll10.0.14393.3686 (rs1_release.200504-1524)WSD Printer Port MonitorMicrosoft® Windows® Operating SystemMicrosoft CorporationWsdMon.dllMD5=2A0FE631E3788072815B3D869D6E4807,SHA256=1EB91F04C6A7D3933A7C9FAB875F423BD87F9319D579A3F7E10F5EA964B75394,IMPHASH=1677C9B823A0EB4D16AAD105FF58396DtrueMicrosoft WindowsValid 734700x80000000000000007997706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.093{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\usbmon.dll10.0.14393.4169 (rs1_release.210107-1130)Standard Dynamic Printing Port Monitor DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationDynaMon.dllMD5=6C5C4EFF050C5157E37BDE60A2C93DDD,SHA256=A4E0631B667DB3665D9781DC4D20306FFD50FDA03266A2A909CE8244EEBBA7F0,IMPHASH=ACC1B8328E5E4AA73A6376F3B0DE82CBtrueMicrosoft WindowsValid 734700x80000000000000007997705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.093{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\wsnmp32.dll10.0.14393.2214 (rs1_release_1.180402-1758)Microsoft WinSNMP v2.0 Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwsnmp32.dllMD5=3D2AA27D9045CF6666C0AEB154F54412,SHA256=7504DFA5299D7E728A19ECC56E1A571A9284942F264560B14F8EBD2C82B82F0E,IMPHASH=6A0DE6511779416C6B1A6AB97E623253trueMicrosoft WindowsValid 734700x80000000000000007997704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.109{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\winhttp.dll10.0.14393.4169 (rs1_release.210107-1130)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=24995B62FFC2519B34A2145673BD275F,SHA256=BB7D4DE1BE6111462F65F999A8969DA04113F15A80D534A93D3CCC76A9FE1F22,IMPHASH=F1FC6BF3699C289EBAF914A7771E49CDtrueMicrosoft WindowsValid 734700x80000000000000007997703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.093{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\snmpapi.dll10.0.14393.0 (rs1_release.160715-1616)SNMP Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationsnmpapi.dllMD5=6EC20D3BBA11E8E323DD78F3785A1F8C,SHA256=C657506547E02D7466F7556552B94267572C9AD102032563F50F7E9FFE2750A4,IMPHASH=D1AAE745CFBD7B9D86D0C6C959A93E09trueMicrosoft WindowsValid 734700x80000000000000007997702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.109{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=D8CD8451D1E194230F18866AD6EFE5E7,SHA256=9977AA1287962035C24DF806DDA67F09FFE9BDF696DBA507D749C624AE1C178D,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x80000000000000007997701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.093{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\tcpmon.dll10.0.14393.3686 (rs1_release.200504-1524)Standard TCP/IP Port Monitor DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationtcpmon.dllMD5=147E359C421C3C3F4F339E6EF4B49FF0,SHA256=92F3647038C6FA3037DB3EA7730F481682413440CCE40D90FC10DED18E0E9D93,IMPHASH=3DB45672BF601A6EB432E665E2BB692FtrueMicrosoft WindowsValid 734700x80000000000000007997700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.109{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x80000000000000007997699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.093{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007997698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.093{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007997697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.093{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\PrintIsolationProxy.dll10.0.14393.0 (rs1_release.160715-1616)Print Sandbox COM Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationPrintSandboxProxy.dllMD5=A68307437E8388B73DC7735DFAAE108C,SHA256=D4C201F7FA2527BCB60477E0D43AE3F98103E464EDD94E9AF0BF9DAE707B4071,IMPHASH=C6866B01FC1B5714D1584B223E0831B3trueMicrosoft WindowsValid 734700x80000000000000007997696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.093{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000007997695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.093{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x80000000000000007997694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.062{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolss.dll10.0.14393.0 (rs1_release.160715-1616)Spooler SubSystem DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationspoolss.dllMD5=871C382EBDE513E3CE2217D687DC2FAE,SHA256=62947AE122A2C8E80B9F9C3C62BC757BF40A52E0913922FDC75D20ACE2001E71,IMPHASH=4B854FB0B00519EA0AB648923C27B591trueMicrosoft WindowsValid 734700x80000000000000007997693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.062{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\localspl.dll10.0.14393.4283 (rs1_release.210303-1802)Local Spooler DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationlocalspl.dllMD5=BA05D6016DE00A037DFA7E2AD1530E1C,SHA256=61EE4D1BC7723485027539FC8AE59E72FF53BE072EA2345141E981877F27805D,IMPHASH=725661AED59B05CF2E13B21F634CB082trueMicrosoft WindowsValid 734700x80000000000000007997692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.047{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88ED,IMPHASH=6097EA32A6AE2378711DDF884725A2AFtrueMicrosoft WindowsValid 734700x80000000000000007997691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.062{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007997690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.062{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007997689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.062{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040,IMPHASH=1B1E4C2174456B1956B734A2FE9401EFtrueMicrosoft WindowsValid 734700x80000000000000007997688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.062{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007997687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.062{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x80000000000000007997686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.062{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x80000000000000007997685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.047{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94C,IMPHASH=98E0DBCEA076EF80E7DE241072E34656trueMicrosoft WindowsValid 734700x80000000000000007997684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.047{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\clusapi.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Cluster API LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationclusapiMD5=02CE365BB6DD3C57570225AC572A2685,SHA256=218A1D598180A048A0FEB135433B0DD28F5B034AA687602B09018DEB3385F63A,IMPHASH=A18EA9022AC27F1C7E02F74FAE45378EtrueMicrosoft WindowsValid 734700x80000000000000007997683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.047{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1,IMPHASH=77951C1B66390D48C5FC7B47D7C8668AtrueMicrosoft WindowsValid 734700x80000000000000007997682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.047{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007997681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.047{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6433F8201BFB449DC6B47F6999C2F164,SHA256=06729F1E0A0596620B48B6DC4A2CC9CC5FE55B17BD488C71F7F15AA4262C8C14,IMPHASH=50E2F760F0B39DC72CAD6892FEDF2F27trueMicrosoft WindowsValid 734700x80000000000000007997680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:47.047{3BF36828-EB59-60DD-6B02-00000000C801}2024C:\Windows\System32\spoolsv.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 23542300x800000000000000015901506Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:47.785{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87C52A2FE7610E8961ED49255E9ED1EF,SHA256=04C00B6AA04C4A0F0B5511DC87A8CB57D44791F86F93BC62368276424762701D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015901505Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:47.598{B81B27B7-EB5F-60DD-892A-00000000C701}8842596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901504Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:47.457{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EB5F-60DD-892A-00000000C701}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901503Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:47.457{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901502Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:47.457{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901501Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:47.457{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901500Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:47.457{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901499Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:47.457{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901498Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:47.457{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901497Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:47.457{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901496Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:47.457{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901495Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:47.457{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901494Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:47.457{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-EB5F-60DD-892A-00000000C701}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901493Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:47.457{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EB5F-60DD-892A-00000000C701}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901492Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:47.458{B81B27B7-EB5F-60DD-892A-00000000C701}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007998086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:48.442{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PrintService_OperationalMD5=B8B2BEE4C48A18A10A386B393CEA3D91,SHA256=005D5040640EFD330A42D1245C204D07B94E6A6BBF3C04F495DF6F883E843820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007998085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:48.442{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PrintService_AdminMD5=313F5EAC3A5CEBCB7D7353876C912C17,SHA256=DCCCA57B79FA8717C71788D4C3FFBC22B9B59412391A9911AE5657E23B36F2B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007998084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:48.442{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PrintService_OperationalMD5=D850A6CB1E5B3FAF1EC98F74871635FA,SHA256=E3DFC4B609D409B8B77F2614E35D0732C80E4EA98A1E310F9CEABC807CF6B58A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007998083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:48.442{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PrintService_AdminMD5=EBA42499C1FA4B2FFC4B6B98643BE3F3,SHA256=FC92218A834FCA0CB833E4BAF63E303A164CEBC4DE2E9D1BA08660EA52F5B6D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007998082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:48.442{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C6BCFB3DEF5AEFDD8F5C52566A7A03D4,SHA256=D28B30075F2942CF8E889EBA203276BB0511B6EB43A62802965F9AC91979D4A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901535Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:48.837{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73267B9343FB0908A4D9F68BB0D50B89,SHA256=3428B5669E678B179C5F75B569BA36A8F3CE601501DEA80BFD3831C9BAFDDB25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015901534Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:48.696{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EB60-60DD-8B2A-00000000C701}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901533Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:48.696{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901532Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:48.696{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901531Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:48.696{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901530Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:48.696{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901529Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:48.696{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901528Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:48.696{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901527Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:48.696{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901526Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:48.696{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901525Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:48.696{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901524Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:48.696{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-EB60-60DD-8B2A-00000000C701}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901523Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:48.696{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EB60-60DD-8B2A-00000000C701}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901522Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:48.697{B81B27B7-EB60-60DD-8B2A-00000000C701}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901521Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:48.540{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E8600444274742B88CFBFAE8F9E53F0,SHA256=1D17556716248DD0163D3D6031FD8CB3559F3869B1AAFC4F0595A76F7C0E1080,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015901520Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:48.212{B81B27B7-EB60-60DD-8A2A-00000000C701}27003904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901519Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:48.071{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EB60-60DD-8A2A-00000000C701}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901518Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:48.071{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901517Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:48.071{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901516Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:48.071{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901515Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:48.071{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901514Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:48.071{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901513Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:48.071{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901512Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:48.071{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901511Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:48.071{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901510Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:48.071{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901509Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:48.071{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-EB60-60DD-8A2A-00000000C701}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901508Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:48.071{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EB60-60DD-8A2A-00000000C701}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901507Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:48.073{B81B27B7-EB60-60DD-8A2A-00000000C701}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007998092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:46.215{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.16ip-10-0-1-16.us-west-2.compute.internal48188-false10.0.1.14win-dc-128.attackrange.local445microsoft-ds 23542300x80000000000000007998091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:49.114{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0A6161D88BAE12876A50D81291D01332,SHA256=03F4B6888F0C930C587984FF10F4674125B0C24EBF34DC27D703E18C609B1810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007998090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:49.114{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=844BF2A4A1346E8663BAE9500837471E,SHA256=03FD979DA94E6B1E215C9C293E2992C1BE6248A318CB4637861DD4A7217EC599,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000007998089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:46.361{3BF36828-EB59-60DD-6B02-00000000C801}2024WIN-DC-1280fe80::b574:557a:2d92:ce61;C:\Windows\System32\spoolsv.exe 22542200x80000000000000007998088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:46.361{3BF36828-EB59-60DD-6B02-00000000C801}2024WIN-DC-128010.0.1.14;C:\Windows\System32\spoolsv.exe 22542200x80000000000000007998087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:46.248{3BF36828-EB59-60DD-6B02-00000000C801}2024WIN-DC-1280fe80::b574:557a:2d92:ce61;::ffff:10.0.1.14;C:\Windows\System32\spoolsv.exe 23542300x800000000000000015901550Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:49.712{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A89893629D57AB8C49611188A463434D,SHA256=074717456FE062F5012FFF0CED54A4059EBC7BA3A3EB68A809D49179364A6473,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015901549Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:49.493{B81B27B7-EB61-60DD-8C2A-00000000C701}23006100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901548Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:49.368{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EB61-60DD-8C2A-00000000C701}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901547Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:49.368{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901546Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:49.368{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901545Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:49.368{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901544Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:49.368{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901543Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:49.368{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901542Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:49.368{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901541Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:49.368{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901540Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:49.368{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901539Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:49.368{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901538Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:49.368{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-EB61-60DD-8C2A-00000000C701}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901537Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:49.368{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EB61-60DD-8C2A-00000000C701}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901536Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:49.369{B81B27B7-EB61-60DD-8C2A-00000000C701}2300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007998094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:50.567{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA6F75E86D0057C0F66B0C145416CA2,SHA256=3D42ED19B9663D52DC102F0B916A590AE9E09EA87A0F7ABC52BFA336B134FAE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007998093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:46.506{00000000-0000-0000-0000-000000000000}220<unknown process>-tcptruefalse10.0.1.14win-dc-128.attackrange.local61077-false10.0.1.16ip-10-0-1-16.us-west-2.compute.internal8000- 23542300x800000000000000015901551Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:50.040{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C12C2647FE0A58E88AA9A7DA0AB60A4,SHA256=2B709C7C9861A9AA05BC7061CF5A660A3EDD52D6C57C72417C95BB212C75704F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:51.317{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06191080CBF76B3C3EDC12E8DB4B860A,SHA256=A48C0796D936BE62AA5F7C00C60F13E13B80F23E1FBCA6D2B839F3AB10C3A3AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015901553Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:49.551{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52103-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901552Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:51.056{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA5B0EF52F6273616AF20FE57DC50FDD,SHA256=E9CE15D86B1FDFCE3624BAF285E08DAEC25D8A7EA8AFD2C473D89303EA93D64F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.895{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0AE2BB5C6C1D651F793E3AF605C088A,SHA256=145461D6FB21E68FD298EAA7BBB1CAF2512C64534062B1E8B6E3CA346522216C,IMPHASH=00000000000000000000000000000000falsetrue 17141700x80000000000000007998145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-CreatePipe2021-07-01 16:20:52.692{3BF36828-EB64-60DD-7502-00000000C801}3980\Winsock2\CatalogChangeListener-f8c-0C:\Windows\System32\spoolsv.exe 734700x80000000000000007998144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.692{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 10341000x80000000000000007998143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.692{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.692{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.692{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007998140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007998139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x80000000000000007998138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007998137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x80000000000000007998136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x80000000000000007998135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007998134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007998133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x80000000000000007998132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007998131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x80000000000000007998130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x80000000000000007998129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\esent.dll10.0.14393.3686 (rs1_release.200504-1524)Extensible Storage Engine for Microsoft(R) Windows(R)Microsoft® Windows® Operating SystemMicrosoft Corporationesent.dllMD5=372653326F31FCCA92A05331BCC8C95D,SHA256=B300AF0A4651A44C4D7D344033EB6317480CEF6F9E24BE1B34DA75A1B00C1807,IMPHASH=637BF97067C7F0AB1E14497F0B9878AAtrueMicrosoft WindowsValid 734700x80000000000000007998128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 734700x80000000000000007998127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\ualapi.dll10.0.14393.2636 (rs1_release_1.181031-1836)Windows User Access LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationualapi.dllMD5=BBD8E839B4D33D7BB5761EC15C837EBF,SHA256=D52F179FBC42858904CFE0A743927756E6C722237A015A4D0A012F730D162C0C,IMPHASH=A9AB204CF2B4A1903B3FBA3C920BD357trueMicrosoft WindowsValid 10341000x80000000000000007998126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-DD0B-60DD-0A00-00000000C801}6442912C:\Windows\system32\services.exe{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007998124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007998123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007998122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007998121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007998120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007998119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007998118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007998117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007998116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007998115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007998114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007998113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007998112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007998111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007998110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007998109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe10.0.14393.4169 (rs1_release.210107-1130)Spooler SubSystem AppMicrosoft® Windows® Operating SystemMicrosoft Corporationspoolsv.exeMD5=87E844BD124333302C9DCF947D98B3A3,SHA256=4C3316B6F7671B2E859B2BC98702C7973FB9BC7A6EA71EDB6ACDFE2CF23EB7A0,IMPHASH=A40033EBEE6E37CE4B1D96B817E1BCC7trueMicrosoft WindowsValid 10341000x80000000000000007998108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007998103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-DD0B-60DD-0A00-00000000C801}644736C:\Windows\system32\services.exe{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+435ad|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007998102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.678{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exe10.0.14393.4169 (rs1_release.210107-1130)Spooler SubSystem AppMicrosoft® Windows® Operating SystemMicrosoft Corporationspoolsv.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=87E844BD124333302C9DCF947D98B3A3,SHA256=4C3316B6F7671B2E859B2BC98702C7973FB9BC7A6EA71EDB6ACDFE2CF23EB7A0,IMPHASH=A40033EBEE6E37CE4B1D96B817E1BCC7{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000007998101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.676{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-DD0B-60DD-0A00-00000000C801}644C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007998097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:49.385{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61078-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007998096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:52.114{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DA34981B17F724F5EC308CB846C1A97,SHA256=F8592D7E91ED7FD0EBA36CDF9290F425047A454470DE472BCD549F575026473D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901554Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:52.056{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B1FAB39CF415D912600F2E1925FA72F,SHA256=29DDBF0707D62FCB4E9B4C0304E501A41543D21C6B9A0518545A5FA35380CA59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:53.661{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA9A948B7F040D127F8F6A7BBDE28426,SHA256=2B7A9032724230C7755A77A34CC14057CBBDC825EB41E874EE06A1C6157CE85A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:53.087{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D409B7EEB6D1CEF5E9A527AB9271F9E,SHA256=ACA9DE69DD1C01DEB1F282C9A11647E56C16978F89FD2379284EEB10A9C3DF2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:54.395{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9BF2FA2FF36E1320402707789AE07B37,SHA256=D5E8AC6E3DCB884B50814BDEBD9CD3AC38EA816D7EAD56FA0B941EAB28ABC617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007998148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:54.395{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0A6161D88BAE12876A50D81291D01332,SHA256=03F4B6888F0C930C587984FF10F4674125B0C24EBF34DC27D703E18C609B1810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:54.118{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10ED11FB4488D8F9100CE7046A2AB0A9,SHA256=ED5FB3C27D2BAF2C0053008D5ADE122A3C1422545D8700120BCF2FB5BD82C48B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:55.067{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2747F916E446475A42A775779CB50FD0,SHA256=8DB3CA1BFDDE3386C43A65F22B02F735272D11225A7D84D5F9E660C7F98C251E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:55.462{B81B27B7-880A-60DC-1000-00000000C701}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E155545F9106EF876180BCCDDE323C62,SHA256=DF3FC3094857CFA80F7BE32438ED1CA3B3744E3958C5582A04A3B3355301B337,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:55.149{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C34C8DFE7A317075EC7B45C7189F1A3,SHA256=A4EE459FFD2E197FA89A5733EB9A366CC3CCAE5B00C593F539C90182DCE24C14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:56.520{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DBB9BC2D164584B35F53E209EB9B67B,SHA256=E34AC8E370A98BEEDDA4A483D52877A77BDDEE24529CD77C0C1A2C109DF56E9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:56.165{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=071B8A6CB8B212FFA8FFBA92425EE772,SHA256=9E4778A7676F510AFA24908E09DA961035711F944492236E9F9740963E003AF6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:57.879{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EDF2AF53C97D2B278A03EDBE47E366A,SHA256=B064806ECC0DBD6AC52EED6FE863C07993617FC51243F4B2A105999548C64CDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007998156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:57.879{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D85BA1A978EFE6424533939C6B03AAD,SHA256=D68F231EF3C40BA7285C096262140D9240BCCCFEAD3F9B2597DEB676FEE0A869,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007998155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:57.239{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000007998154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:57.239{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\drvstore.dll10.0.14393.2791 (rs1_release.190205-1511)Driver Store APIMicrosoft® Windows® Operating SystemMicrosoft CorporationDRVSTORE.DLLMD5=D0DE1D69FC3F00F65F8D67C31BCC9682,SHA256=F27CEB248FCB3444B850896CB916DACC10BC730E7C2679D2A6C2582CC667F8AD,IMPHASH=AC3F232984E3ABCCF80F1B2A1ACA9991trueMicrosoft WindowsValid 734700x80000000000000007998153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:57.239{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007998152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:57.239{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\devinv.dll10.0.19645.1032 (WinBuild.160101.0800)Device Inventory LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinv.dllMD5=8BFD253467CDB3F41ED2A23FE08B361D,SHA256=5A938F1A6D0FF39BE7B5BD88F46988F4CDAA78134E9E22AC02C46EC688819D17,IMPHASH=94EEFF72CC677C4C4124B0B3A85F7825trueMicrosoft WindowsValid 23542300x800000000000000015901560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:57.181{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7381C2E387C96558786FAB07E4B374CE,SHA256=0AA5852F361D25387D03833A98DC942045416A89FA6B4F3ECDA38A2679B4ED1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007998158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:55.260{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61080-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:58.196{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2CDA21B9B8D8F7EAD0B2181B5932CF2,SHA256=F76083D432ABF2EE1544E3634303A697FEEDA7CD8FA7A75EBEBEEB4E42E2F915,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:55.379{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52104-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007998161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:57.559{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61081-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x80000000000000007998160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:57.559{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61081-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 23542300x80000000000000007998159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:20:59.239{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAD9B32E300D4CAA4C628F15E9677DF1,SHA256=E364461B20FE33267C2C2199D05C81C7AE47FE7913B92B1C937B64BAA0AA5D09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:20:59.228{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DBD235E95B983A2018E7D1E4E81740F,SHA256=49CF92574F390986AC66268095B52F121137FD8DB6AAAD190961AE8261EB57A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007998192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.925{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.925{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.925{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.925{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.925{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.925{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.925{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.925{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.925{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.925{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.925{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.925{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.925{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.925{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.925{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.925{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.925{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.925{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.925{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.925{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.925{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.925{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.925{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.925{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.925{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.925{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.925{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.925{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.925{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.925{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007998162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.612{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C907CC88419586DA0B9A2DBDEF1966F,SHA256=4918415C5BF3806FCA0BEE7C44409E8EAC3B2880A25E5EE7005362D8BC6EDA67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015901592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:00.540{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:00.540{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:00.540{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:00.540{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:00.540{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:00.540{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:00.540{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:00.540{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:00.540{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:00.540{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:00.540{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:00.540{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:00.540{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:00.540{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:00.540{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:00.540{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:00.540{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:00.540{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:00.540{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:00.540{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:00.540{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:00.540{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:00.540{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:00.540{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:00.540{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:00.540{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:00.540{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:00.540{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015901564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:00.243{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=051CD1AA467651AF9456DE70A61975AB,SHA256=DB1A7A92678E0C0D5011A7A961B387A4273A7DBB3943EF8F7FC88D74EC017826,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:01.990{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D2911F80794F1D051A517252B4AF6B2,SHA256=4A65061A60737753E58AD7F808B765CC6058ECB5291A98C8950E38038A1D65B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:01.587{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4E7724884BD2B989B585BE6E54313F,SHA256=5895D528BE2AC33D8D6E5A18A82D08A1F37FF3A17CE3FB9B0650ABB94DD8927F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:02.743{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE62956AF261028BAE4BF3FBA460CF22,SHA256=D9C8B54E8B319444D3AF5F7205237A3C492172B86A23E2ED19C069C27A7647DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007998195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:00.383{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61082-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007998194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:03.350{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D983AFBA712E3EBF21D7CDDE02D2AE80,SHA256=54BBCCF016BC5548C6A1DA3988AB4222AA94E4A549BFB021098EED3BE1CD2F5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:03.759{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9201E2F6C0E906E35A39EFA71FA5B066,SHA256=6D87C5011756A0C2A399E5EA2494D87120B275941988465DC069A93AA4A4B321,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:00.410{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52105-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007998196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:04.771{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C053DEA5930A289094BC6B8EA77D32,SHA256=2277C62D1FB61905A11108B06044A3D128385C4EBE9E589CB9FFD915FA2037B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:04.790{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9117DF34ACD2B57074D6695599E5BF0,SHA256=2B8B635E9D7B3A333D63FEB3F548E4021F8891336E3436E8A13932C2A9E06809,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:05.821{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=685A6CE66DD0BA24BFBEB1DA1BF88202,SHA256=B4B85108220929DC94821D07242A7491896B8A5E8F2DC909145AC2B529D76371,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:06.870{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9816815F5839D625A3349D9DF1F20FF1,SHA256=B21CA4D2ECF98246D27C6600DB6D4701117F11C962AE0290187D2068D98E5F2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:07.475{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C697AFE268F18539609450BED8974BA8,SHA256=936FFCC190BA38241BD1FA218F116070C6BA1FF5D7975289EF891579071B684F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:07.889{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3FDC49DDFC99D73CFAE425EF5521793,SHA256=F2CE40008E8F07AA9103D6C99037644CEF018DB08FBAC973E0531C0B5A02A367,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:05.459{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52106-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007998199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:06.324{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61083-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007998198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:08.477{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F822CAAD2912B3F34AD21E0FD63E522,SHA256=9F90D9DBCF57AFA275437BDD1D3B9A1E6389F948DED996E5ED2C52D22182B2B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:08.922{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3429A2DAEE1766BC5AF1374798C38FC2,SHA256=E2295B9EDB6667A0476946CCC67BF6E86437F8A7D0386B1C4D4A269DB3480F2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:09.821{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31D2EDBF513E4A06E6D797EDBD1F84A1,SHA256=4B8E2C687DE8972507E64A09C238FFD216BD50A7F61E5B78CCFFB7112BB32AC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007998200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:09.509{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=608B1F82CE6CC00E043944E043BFA92A,SHA256=FCBDB3068B742218276E5485BE5B2749AA5A4DC74C45FBE863EF0ED6E624EF79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:09.969{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C457536699C6641C0AA9FC354B7AD79,SHA256=E4604DA83042E500C6D1888BAC76BB8DF904925B3CFE2CDB40F45AC8427617FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:10.985{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4865ED4FC3E8B7E8233384758E25624B,SHA256=4D03B6D85A20CCB89C500EC1D857E3DC291099C22CD93EFDBE998157BF8C2FF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:11.243{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F55F444A81C75522A4C99D60BED7D434,SHA256=8EAA0D1909433470489D5C57D23162407278E6EEF5794F8B318819808C777019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007998203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:12.618{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CBAF85351A2046DC027086C54FD58C9,SHA256=A359C9A7D542CBB084235A48D0888F86E20751D6D2F697A072FF77587AD0009D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015901606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:10.542{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52107-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:12.000{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7CDBBD7243A33C3F89DA7E5AA428F03,SHA256=9C88CE52BF488C8E8BADC93353CB9F6AC2DAF8A3D192CC9A806757A361A57DA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:13.993{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=234EA8EBBF03B4F64A2AAD4545A43D4D,SHA256=6A14F446270DCAF48E6188857D04F60AD95D6676C0186B0CA2B74901D7423158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:13.000{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47546BF8A63CB0B3611F72C619CB4E63,SHA256=D504CD33CC70EA8D9C31A4A393F12C1E2DF6076A292AA4F7332F66E01B950740,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007998207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:11.358{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61085-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007998206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:10.858{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61084-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007998205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:10.858{3BF36828-DD1D-60DD-2F00-00000000C801}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61084-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x800000000000000015901608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:14.016{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0789ADC2814F43DBE09D211639F7CA1,SHA256=ED6656071EBDFBC3FA0000FFC1388E54953B9C64BB2B26B8183124E3A1F52942,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:15.352{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC0DB01559EB3C5FF7A8751F89DECBE1,SHA256=80944B9AE7CA45C390F93425BAAE7D3B5FE6403972260818E3331F3BC8D66694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:15.047{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57574F7F151072B09F880243C68363D2,SHA256=9CAB02F5AC6F479115148EDB051215C7CCFECD0934169C34704734E960884C94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:16.712{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F73076355D50C1A427B4DEB42FD37DB,SHA256=DFB8128C7B931779C3B9E7BBDC896E5AB0322A6B00B65A128DE78D13BC0178A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901610Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:16.063{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAB09E75D485EF7C3DB9DCA00F7BEFC0,SHA256=C7A9D588D5DAB6841B4F7FEC40E42D16EFD8855ACF76D3316DBEB71157E061EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901611Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:17.079{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B07B2E4EBA4F5DBB43CD18B9FF99B5B,SHA256=4126D4E8B43E3626D41AFEEED1DD3C028AAF47DCEBD55FFE0EA909DF5775FA16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007998313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.899{3BF36828-EB7E-60DD-7702-00000000C801}45482244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.899{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007998311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.899{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007998310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.790{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007998309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.790{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007998308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.790{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007998307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.790{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007998306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.790{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007998305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.790{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007998304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.790{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007998303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.790{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007998302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.790{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007998301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007998300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007998299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007998298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007998297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007998296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007998295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007998294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007998293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007998292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007998291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007998290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007998289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007998288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007998287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007998286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007998285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007998284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007998283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007998282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007998281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007998280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007998279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007998278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007998277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007998276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007998275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007998274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007998272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007998271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007998270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x80000000000000007998269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007998264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.774{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007998263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.776{3BF36828-EB7E-60DD-7702-00000000C801}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007998262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.368{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007998261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.368{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007998260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.368{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007998259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.258{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007998258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.258{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007998257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.258{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007998256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.258{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007998255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.258{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007998254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.258{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007998253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.258{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007998252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.258{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007998251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.243{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007998250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.243{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007998249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.227{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007998248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.227{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007998247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.227{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007998246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.227{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007998245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.227{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007998244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.227{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007998243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.227{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007998242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.227{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007998241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.227{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007998240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.227{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007998239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.227{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007998238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.227{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007998237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.227{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007998236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.227{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007998235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.227{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007998234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.227{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007998233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.227{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007998232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.227{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007998231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.227{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007998230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.227{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007998229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.227{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007998228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.227{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007998227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.227{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007998226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.227{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007998225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.227{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000007998224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.227{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007998223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.227{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.227{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007998221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.211{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007998220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.211{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007998219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.211{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.211{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.211{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x80000000000000007998216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.211{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.211{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.211{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007998213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.211{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007998212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.106{3BF36828-EB7E-60DD-7602-00000000C801}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007998211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.102{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF8E6BE12F4BD124F5391B3C173DDFEE,SHA256=F1592ABAFF59F0CFBA5A8C6A0D35E9CBCD9C8C09CCC00C5339CA1291A4036E5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007998210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:18.102{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7DA91174F4F9E312CAEC4842A872DF8,SHA256=2F8A2F1E0DE4CA5AC212D98F6BD19448421938BF33D623F1EEE02CF12344990C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015901613Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:16.432{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52108-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901612Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:18.094{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A0E462B4E54AA191405C6A683B4DE1E,SHA256=72D4960676CF0E00582D1CDDFEF7571ABD83BDB600C1C078306EB036E613C332,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:19.461{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2633C652967990C4F69F2D8E391497DA,SHA256=B6433B60330CBA1A460D2DF31C4E6D2355F88191ACC48D8F7714C40106D0FFE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007998314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:16.405{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61086-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901614Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:19.126{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=306036103548D1B24B3C9A482BEC39CE,SHA256=E52E875811276885F2B2C233153B6A70896B2A91972085E03F6A72E260B35834,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:20.821{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0066CB2F7D6253A8D8748ABACCF8EC52,SHA256=385D91D9159399B2E32BBE91E3755453CF37BD07BF467EBEF5DE26482F45B4F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007998316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:20.133{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DCB173F9FC35F6507794D2747AD1765,SHA256=7A12BA76233BBC6F21E003158734D4A5C346A3405B44097456C851C66F72548D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901615Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:20.126{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B35D0E0353FA79E4258A79C55297AA22,SHA256=9FF92EBE7F22FDE283BA51EE5A0093D346201FD18A6B37B44314B5712D642C00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:21.227{3BF36828-DD1D-60DD-3000-00000000C801}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901616Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:21.141{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2061FD53F3771B908E8606029E2441AE,SHA256=B4FEDFDC14BD0C1F229B12B27D24DBC8B64BB84F7F82F18266B791FE3948C842,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:22.258{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFFC0B29153424036C09FD116C4A757C,SHA256=7FA6125D72933C1F271CDFE98D27E28C0DF747D0501953CEF2F7079067DBBFC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901617Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:22.157{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31012A0342F9EEE77C2146889C3CE9F2,SHA256=88CB296E625298479CEEF0F82120EC6BC137DE93F81F38B4E25F09506332E16B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:23.696{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7361CD045CDED4A8E1A072DA126B27E9,SHA256=E1CF4CB6E680E3930B105646B4BA7B1751C09BFEAA8C3F857CA9FF9CFBE03DC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007998320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:20.405{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61087-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015901618Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:23.157{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94DA8EDAC43DB0631A6CE4C43F41A5F0,SHA256=890DA56567BA3F366E82A2A85F99611ADDE55B5D501398EC0A9577789E09748C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007998327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:24.477{3BF36828-DD0D-60DD-0D00-00000000C801}9244328C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000007998326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:22.279{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61088-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007998325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:21.612{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local61277- 354300x80000000000000007998324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:21.611{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-128.attackrange.local53domainfalse10.0.1.14win-dc-128.attackrange.local56405- 354300x80000000000000007998323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:21.611{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local60492- 354300x80000000000000007998322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:21.610{3BF36828-DD1D-60DD-2C00-00000000C801}2292C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local65535- 354300x800000000000000015901620Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:22.417{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52109-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901619Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:24.173{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73E0D5BF52501EF38F1C52F843CDDC03,SHA256=4B9673AF2F5B8615D9D4203C0EC5ABB3070CBB3BBC37FAEB0F35CEEC6D587630,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:25.743{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB0E5EA7E4F620183BFAA46AC8A10DB,SHA256=F64F75CF72D3555E68EB3A3EC2F8027515183B3688946518D1D3331FFD2454FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007998328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:25.055{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2095CE78E2D856CD228B470C4E569FF4,SHA256=7446EFB31C04DA9D491EA84FF38F87E6C7CCA7C1425D34B5276DF267A1F2B92A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901621Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:25.188{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=658FF3B95A3CC4C9929D74B58FF0F65F,SHA256=DCAEE955C3D6189ED489A5791168C70E1BC28B6EB87E310F73DB5A5E15C46760,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007998380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.555{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007998379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.555{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007998378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.555{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007998377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.446{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007998376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.446{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007998375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.446{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007998374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.446{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007998373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.446{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007998372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.446{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007998371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.446{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007998370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007998369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007998368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007998367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007998366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007998365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007998364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000007998363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007998362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007998361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007998360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007998359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007998358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007998357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007998356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007998355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007998354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007998353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007998352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007998351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007998350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007998349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007998348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007998347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007998346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007998345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007998344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007998343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007998342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007998341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007998339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007998338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007998337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x80000000000000007998336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007998331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.430{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007998330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:26.432{3BF36828-EB86-60DD-7802-00000000C801}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901622Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:26.235{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CA3DF95C736CF1C68C1F1FAF13F3CA7,SHA256=8BCBB670685509B9B1BFF7556A7BD3F8D44B8938F2A13CCB7CA00FC9A3514CEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007998488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.933{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007998487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.933{3BF36828-EB87-60DD-7A02-00000000C801}3804516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.933{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007998485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.933{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007998484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.821{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007998483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.821{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007998482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.821{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007998481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.821{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007998480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.821{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007998479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.821{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007998478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.821{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007998477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.821{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x80000000000000007998476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C35331284526F981AD0E5BA58451D36D,SHA256=40AA25B098AEC7BFEED95C28951DD4B748A509FF8289F812BCAC29D730A6D822,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007998475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007998474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007998473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007998472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007998471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007998470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007998469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007998468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007998467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007998466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007998465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007998464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007998463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007998462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007998461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007998460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007998459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007998458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007998457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007998456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007998455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007998454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007998453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007998452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007998451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007998450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007998449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007998448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007998446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007998445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007998444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007998443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007998438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.805{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007998437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.807{3BF36828-EB87-60DD-7A02-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007998436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.227{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007998435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.227{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007998434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.227{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007998433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.117{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007998432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.117{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007998431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.117{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007998430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.117{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007998429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.117{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007998428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.117{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007998427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.117{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007998426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.117{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007998425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007998424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007998423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007998422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007998421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007998420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007998419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007998418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007998417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007998416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007998415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007998414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007998413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 23542300x80000000000000007998412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58257FF63E59B55BF3BA088E083B55C7,SHA256=A3F85F023A9B0BD5F87BB5D022FEC5E806CBED9D747FF6CE440289629E4E5084,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007998411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007998410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007998409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007998408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007998407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007998406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007998405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007998404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007998403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007998402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007998401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007998400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007998399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007998398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007998397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007998396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007998395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007998394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007998393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x80000000000000007998392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007998390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007998389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007998388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x80000000000000007998387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007998382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.102{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007998381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.105{3BF36828-EB87-60DD-7902-00000000C801}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901623Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:27.266{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EF4C7822D0BE9D10B7966F3C86B5106,SHA256=FD85A378541443FF2A407EE8B2C2A0AAE0EA8F5C4D79D908DD66206F09E6EDC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007998541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.636{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007998540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.636{3BF36828-EB88-60DD-7B02-00000000C801}45884012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.620{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007998538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.620{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007998537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.511{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007998536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.511{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007998535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.511{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007998534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.511{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007998533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.511{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007998532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.511{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007998531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.511{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007998530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.511{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007998529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007998528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007998527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007998526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 23542300x80000000000000007998525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=691661216DC2507319F31023821AC243,SHA256=0D5B24EFC30D1819F40AF92B3BD250BD1ECF07530CB70B3B6BAFC2C91BB43E42,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007998524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007998523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007998522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007998521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007998520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007998519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007998518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007998517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007998516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007998515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007998514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007998513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007998512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007998511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007998510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007998509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007998508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007998507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007998506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007998505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007998504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007998503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007998502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007998501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007998500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007998498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007998497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007998496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x80000000000000007998495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007998490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.495{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007998489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:28.498{3BF36828-EB88-60DD-7B02-00000000C801}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901625Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:28.767{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901624Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:28.282{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5391E41E0DF7B1E2FD851E76ED376FEE,SHA256=D0620783FB53C8D3E3D8C4EEF753ADEDD7FEDC169A54AE8C8B079F0E942EEF0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.901{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA13F6F175DEAAE4B8963FF8BF01D4F,SHA256=B6A01D3D3189BCAC2273828BB0C90B3CC150B406E651D956A50A5DAAF4D7AD79,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007998593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.292{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007998592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.292{3BF36828-EB89-60DD-7C02-00000000C801}49402244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.292{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007998590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.292{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007998589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.182{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007998588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.182{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007998587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.182{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007998586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.182{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007998585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.182{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007998584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.182{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007998583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.182{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007998582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.182{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007998581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007998580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007998579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007998578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007998577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007998576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007998575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 23542300x80000000000000007998574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE8F3205C949F80ED1BB7C4F641E3719,SHA256=67D8483F87366274C17E273CD46DF3E69051FEA229BB97C7C8E98689ECA278CA,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007998573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007998572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007998571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007998570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007998569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007998568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007998567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007998566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007998565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007998564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007998563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007998562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007998561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007998560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007998559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007998558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007998557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007998556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007998555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007998554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007998553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007998551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007998550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007998549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007998548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007998543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.167{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007998542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:29.169{3BF36828-EB89-60DD-7C02-00000000C801}4940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000015901628Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:28.058{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52111-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x800000000000000015901627Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:27.417{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52110-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901626Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:29.298{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C08100ABD12E96F1CB0ED2B43F60C074,SHA256=36B21ED3E86B394B2AF51963AD46FC6C9AA368C95D7C7B47FC22C2F0D39062D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007998596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:27.423{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61089-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007998595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:30.589{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33509ADB79E787A755FEE33DD7AFAA81,SHA256=0AF50F31FEF218DD1C2CF3F461ED769F6F445FF5D0696A7055176A3F787CEF5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901629Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:30.360{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C53545EA40AECEA975556098BB6A0B9,SHA256=22520BCD07E80BAE4DFEB32236E6C00F69A02A5FDD84A6D643A79F5AE949A8EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:31.339{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B926149B63D2EF9900CDD31A62F7A8DF,SHA256=5DFEF75E0D9C5C65B1CF8F40CAF51E771456F22B3DB3BB1190631E3787BFC46F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901630Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:31.391{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B1288D1FE7BB26B0D343CBAB0A4A93E,SHA256=E9E3E82348CB74BF2673E2306F51B9DA1969CA8E5ADE9735D37AB53696C0259E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:32.839{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17516A2A9EAECEB153BDF769719FC1B2,SHA256=4AD05B029B913A4110C5E029B7205BFF1E21BDBEB5913080D8AE050497AC343E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901631Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:32.407{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E34322D27684106C8F79F4E9B2409BA,SHA256=0B00AE445FAFB038CC0D677669C202ADA72A0C7F8A2B4938270B720AAC34F08B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901632Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:33.423{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F95961DFF3AF49F605DFCE29CCA88E8A,SHA256=EDA3AA00D91A49F444F8E7EA0025C589EE929B612F754362AEAE374852677073,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:34.260{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3E3AF3D42E9346BFCC2DBEBF7703B1B,SHA256=570E0E9568D95BCFA045C7B5048800D8C825DB5CA62A06D84A0684AE2D6C9105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901633Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:34.454{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4A976B1F14F1F20C089AD79BB381C7B,SHA256=FAFF5202BE408320E471D117A2CA464D8C23886D186B42AA74EAA15C0D5008ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007998601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:33.376{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61090-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007998600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:35.620{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F7C58EE9E108DD61434AEF28388194,SHA256=7B73626C9DEC0BA7C60D0CDAABA57C4D7315DA9BC9C6DED21A71BBB324136F89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901635Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:35.470{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3FB648D906017DC2E89B8533C49CDC7,SHA256=59FCF6F9C7CE7E0A914BA9C75B863626F63D495EEDA13E46E4E0CD4335AE7DCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901634Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:32.464{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52112-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901636Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:36.517{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18599E64CDEBFB0CED35A71D7B79DEA4,SHA256=788AD918134523FBD08BCA1AFC8BC666E33CE52AC74DD2464AFE477CD0B51C96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901637Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:37.532{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3588FC0903CE98D4355B2C62DF000F,SHA256=3C9D609CB645C7038D3D057942F3A3B8F008C26D11DB21E136A253057C0C95B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:38.339{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8BFCFD5A8F605EAA440D9718A084BEC,SHA256=5FCD4F2C8685142F59B6356B48E4DB05F85D07ABB21682CA1EFD871E1C97300A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901638Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:38.548{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C7B2CAF94B4773EAA2E14EDEBF5470,SHA256=5671F0D12C658E0236E9B2BA8CB8D7C89DDAFC8F2A57D6E29B9871FD09B91909,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901639Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:39.579{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF421DB07BFB874E03FFAD2A649D18BC,SHA256=7533C3119EA45147CB097BC5D2DE94065A28432DA8236CC4B270AC019505166B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:40.042{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DDB0E372996EE3635293D75C86E9F62,SHA256=5CD525347FC41045FFDCBD65D5197488404353C897EF9924597F1780BDAA8FF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007998603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:40.042{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA72622C632D6D0BBEFC20C10933FA8C,SHA256=1D359C84FD44837F6C732643B60B9498995C1A6A040E511791A831A5C8C11FBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901641Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:40.610{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3CAA27D8B043EB215C8AE874EC69F2A,SHA256=0BB1511E3EB44EB391FD52EDFE6BBEB86AE4CA5DCA29D03F9F61F3C557865D01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901640Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:37.511{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52113-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007998606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:39.407{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61091-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007998605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:41.417{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59756BA191155BB33BF216A3BE972D6E,SHA256=D5A77AD43C12A7762026DF57D5AB21DF7694F1713864420EEB2FE7A545A66808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901642Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:41.626{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84305A8F60D5512C75F725C7870C6C13,SHA256=F2A23C16E9773C15CEF231BE152BAF835557F1F8DE5D36F7564950AEC29F7070,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:42.776{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA33D29F756B30DBFB98B7F719BE78A6,SHA256=F2425847C594C9F6F6F8D6471565DB2A6E817CA7A8AE1080934B216B689CF9C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007998607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:42.495{3BF36828-DD0D-60DD-1200-00000000C801}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=638407C3F04818A7171F6E8C9F3DCAAA,SHA256=1E6BF3EB01896F361E8F2CE741D887984EF4BE9C24209445DA2D67F161A1B4F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015901657Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:42.923{B81B27B7-EB96-60DD-8D2A-00000000C701}3086132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901656Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:42.782{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EB96-60DD-8D2A-00000000C701}308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901655Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:42.782{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901654Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:42.782{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901653Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:42.782{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901652Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:42.782{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901651Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:42.782{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901650Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:42.782{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901649Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:42.782{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901648Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:42.782{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901647Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:42.782{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901646Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:42.782{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-EB96-60DD-8D2A-00000000C701}308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901645Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:42.782{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EB96-60DD-8D2A-00000000C701}308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901644Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:42.783{B81B27B7-EB96-60DD-8D2A-00000000C701}308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901643Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:42.673{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE14773DE0516A97C22177AAC000AE3,SHA256=E1FC3BDFB82CF192943A40ECBB2A9672B7CBBE249D791E76B5468FCD3AE89F4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015901670Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:43.454{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EB97-60DD-8E2A-00000000C701}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901669Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:43.454{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901668Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:43.454{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901667Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:43.454{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901666Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:43.454{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901665Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:43.454{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901664Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:43.454{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901663Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:43.454{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901662Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:43.454{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901661Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:43.454{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901660Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:43.454{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-EB97-60DD-8E2A-00000000C701}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901659Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:43.454{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EB97-60DD-8E2A-00000000C701}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901658Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:43.455{B81B27B7-EB97-60DD-8E2A-00000000C701}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007998609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:44.135{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F05C776C3F48A4F6F90C66A34E9F610,SHA256=9EF7740BAA3F97379D471830A2D3E7BA55B1B0BB8B887E6677602DE8612FAA3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901686Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:44.173{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63BFB3A0493F0EE1F0AD0AC1644533CF,SHA256=27AC58842472763A238DC7F6D3069FB01D8BC12E51EAA77A39F4CA5CEE930F1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901685Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:44.173{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1941C629F3DD1BA777A85AFB6F85A7F,SHA256=152E0707E4B2CD1EA5A79A5D5FF46C520AFB2EAA244187F90FA7AB36C97AE007,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901684Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:44.173{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C01B43D81C7E097BB3440CED6FBCCEA8,SHA256=0FB3595CA5C853793298641CA38E063E597043861A1501169E075E40ED1FBABD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015901683Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:44.126{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EB98-60DD-8F2A-00000000C701}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901682Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:44.126{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901681Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:44.126{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901680Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:44.126{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901679Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:44.126{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901678Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:44.126{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901677Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:44.126{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901676Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:44.126{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901675Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:44.126{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901674Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:44.126{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901673Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:44.126{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-EB98-60DD-8F2A-00000000C701}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901672Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:44.126{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EB98-60DD-8F2A-00000000C701}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901671Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:44.127{B81B27B7-EB98-60DD-8F2A-00000000C701}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007998610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:45.510{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D74A79342CD72150933BC21A4B445C,SHA256=F97CE7FCD5255279B28EDADB45FB29E24F6C05A96019BD1F0570C1EB1E12858A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901688Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:45.220{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63BFB3A0493F0EE1F0AD0AC1644533CF,SHA256=27AC58842472763A238DC7F6D3069FB01D8BC12E51EAA77A39F4CA5CEE930F1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901687Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:45.126{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D843CBF921634A0F13D3120306F498A,SHA256=1316F4B6F7E90FDF127B8754C752079C7F6D6348C96014AD4EF1AD2CFC8EEFFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:46.870{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B34C9F86CC10021F733033D287965712,SHA256=EB0910C0372FB78188988E5D1222BB0124C946A5AF1F61137D5B3130A1FB99C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015901692Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:46.345{B81B27B7-880A-60DC-0D00-00000000C701}7963608C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1100-00000000C701}988C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901691Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:46.345{B81B27B7-880A-60DC-0D00-00000000C701}7963608C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1600-00000000C701}1208C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000015901690Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:43.401{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52114-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901689Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:46.173{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3FB0345398B73AF85AAECD91B45506,SHA256=4BAB056659FD418D465EBA1374BB279C73B5900C65F196D65CBB606DB96B4D94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015901707Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:47.626{B81B27B7-EB9B-60DD-902A-00000000C701}32204180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901706Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:47.470{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EB9B-60DD-902A-00000000C701}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901705Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:47.470{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901704Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:47.470{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901703Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:47.470{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901702Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:47.470{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901701Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:47.470{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901700Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:47.470{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901699Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:47.470{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901698Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:47.470{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901697Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:47.470{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901696Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:47.470{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-EB9B-60DD-902A-00000000C701}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901695Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:47.470{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EB9B-60DD-902A-00000000C701}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901694Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:47.471{B81B27B7-EB9B-60DD-902A-00000000C701}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901693Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:47.189{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C726179CD258202CFAA219124243E70,SHA256=98F37F327C3F1EF62A49235FF92EEC966FB7D78623E2F6DBC75A2DDB79A48845,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:48.274{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40D5B8A3F366804100398D4732B47ADB,SHA256=D55BA22EC5B36EBDBE99250F3F948B734B84F5B9AD6B78D12A26676126AE3F40,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007998612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:45.453{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61092-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000015901740Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.937{B81B27B7-EB9C-60DD-922A-00000000C701}5921700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901739Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.812{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EB9C-60DD-922A-00000000C701}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901738Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.812{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901737Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.812{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901736Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.812{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901735Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.812{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901734Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.812{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901733Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.812{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901732Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.812{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901731Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.812{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901730Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.812{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901729Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.812{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-EB9C-60DD-922A-00000000C701}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901728Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.812{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EB9C-60DD-922A-00000000C701}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901727Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.812{B81B27B7-EB9C-60DD-922A-00000000C701}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000015901726Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.640{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1500-00000000C701}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901725Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.640{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1500-00000000C701}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901724Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.640{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1500-00000000C701}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015901723Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.483{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF8892C669EAB751A1E98666D86DFC19,SHA256=BB434292BEF4508F5325573EA3230CAF602AA010593F78452DBE6B24C1C65B1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015901722Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.280{B81B27B7-EB9C-60DD-912A-00000000C701}26045392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015901721Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.218{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5D919C0604CEA35CCFFF2761030DE05,SHA256=0B34D79E67CA891CAD22CE32A950931F593703CC7035D53C630770BAB2003B17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015901720Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.140{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EB9C-60DD-912A-00000000C701}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901719Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.140{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901718Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.140{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901717Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.140{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901716Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.140{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901715Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.140{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901714Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.140{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901713Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.140{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901712Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.140{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901711Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.140{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901710Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.140{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-EB9C-60DD-912A-00000000C701}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901709Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.140{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EB9C-60DD-912A-00000000C701}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901708Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.140{B81B27B7-EB9C-60DD-912A-00000000C701}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007998615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:49.633{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=768A6335EE7BB8973EBE67E46B27C2B5,SHA256=896AB447BE338887363E66E1B997FD10D4981020D2F3B2CA3BDC6A5F5004732F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007998614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:49.633{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0922D5241B959BB7923F82D9C1255269,SHA256=072C4191B6BF0D1E674B2E6445E9E6CCEBADE9F9ED37B918F130DA2FDC80D59E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901755Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:49.952{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1F08A59645CC56BF07A288D241F9E36,SHA256=7399628934CDFABD3A8EFCB29BEC3DE5216F447A0AA8CDE66D3B528C5C86D577,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015901754Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:49.484{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EB9D-60DD-932A-00000000C701}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901753Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:49.484{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901752Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:49.484{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901751Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:49.484{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901750Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:49.484{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901749Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:49.484{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901748Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:49.484{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901747Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:49.484{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901746Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:49.484{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901745Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:49.484{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901744Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:49.484{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-EB9D-60DD-932A-00000000C701}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901743Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:49.484{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EB9D-60DD-932A-00000000C701}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901742Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:49.484{B81B27B7-EB9D-60DD-932A-00000000C701}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901741Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:49.437{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F2C45E64CE40B00AA4EEAD5FB00E69,SHA256=0341717108D60EE99A506E950A335F12062FB0CCC3DD4B2C819C1C9F945D1576,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:50.993{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=536FD2FFD06A340852C47843E15AC3F4,SHA256=05748567DC3732B4772DB4E96FEC25A16A539D4991C5568371E19C2CC5113AD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901757Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:50.483{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EE3F0B5C8C0AD6766957AF0B58A2802,SHA256=14D697970213787837253EB4D7C658F0E9239864DE4C679AFD7C80AD2A18E9AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901756Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:48.431{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52115-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901758Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:51.483{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12210F8FCF3ABC5A043EDCBE259C758E,SHA256=F575830EF546E6B0DAD88228FA6EF046F9B157D851A1A4D55977E328350F8A8B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:52.368{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5AC8D4B3392E7035C9A10CF40B337FD,SHA256=D078DD4A8CAE2350897E29035FCB407019FEC79755437E11EB6DD824E5B00FD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901759Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:52.499{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C45592D3EFE47317449216D976E0153,SHA256=F1231168D5A5911043A04AF20DC212E7DC0F6BFE4DF18A0D136AB85D712DA6E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:53.727{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D8657FA85AE3E5BE31E139E03950567,SHA256=A892AA9A2462D19E3FFB8C836434B115ACF1617D511F2D02C110BD953E5E7276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901760Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:53.515{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E88D0883F2464B9532974048ED02710C,SHA256=82CE62E573ABAC44ECE7E34921EC670D5B67D503661E3AEA00E69CC9D0E3EFC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007998619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:51.342{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61093-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901761Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:54.530{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6B75D7E3C2D8F44DBA9505149461558,SHA256=025C31A8D59FDF1330FD90EB7064036BFEA512F7E1DCACCE774DDE142E17AB67,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:55.086{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E39E7CCE3FE91027FF44082350B120,SHA256=4105DA56DDCA7E77C4977D1DCC96A41DB9E69570246460EC913EB23705A9AAC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901764Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:55.530{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B81ADB3569E23B48858D130544474693,SHA256=F7E39A154AAE19DE3DC86AE14DA699B4C2CB326DA0C2B6E17D4992DB1C8216AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901763Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:55.468{B81B27B7-880A-60DC-1000-00000000C701}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=391F922A82723DF58AB8C9687BF1856C,SHA256=9E7F8E3312CC1D9C975C22B9756AE0022A26558F05EAF808DEA824A5FD7FEA14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901762Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:53.571{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52116-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007998665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.461{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27EE76D8955890469E431BA14DE005B6,SHA256=1E7A68BEC6BEC92142CE676770F582CB09E5C1DF650C8891E897435F8DF323C4,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007998664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.055{3BF36828-EBA4-60DD-7D02-00000000C801}3512C:\Windows\System32\cmd.exeC:\Windows\System32\winbrand.dll10.0.14393.2515 (rs1_release_1.180830-1044)Windows Branding ResourcesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinbrand.dllMD5=CDA73668510FF0BA02967236A857CE7B,SHA256=24ADC4950116C2E3994450465B305D469B78F687EAADCBC167A8C4ECD4907306,IMPHASH=2C424150D7AE913E28B879B06042C9F2trueMicrosoft WindowsValid 734700x80000000000000007998663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.055{3BF36828-EBA4-60DD-7E02-00000000C801}1132C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.4402 (rs1_release.210426-1725)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=EBEFEF1FE2B0D6FF2595203DADE100C9,SHA256=70F4BB4198467DA8E2FD7AF475536B3F2FD1B3E56CEE7E376D0303C149C449F9,IMPHASH=49A59B06FE5B10F21E36B588430BFDB3trueMicrosoft WindowsValid 734700x80000000000000007998662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.055{3BF36828-EBA4-60DD-7D02-00000000C801}3512C:\Windows\System32\cmd.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007998661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.055{3BF36828-EBA4-60DD-7E02-00000000C801}1132C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x80000000000000007998660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.055{3BF36828-EBA4-60DD-7E02-00000000C801}1132C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007998659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.055{3BF36828-EBA4-60DD-7E02-00000000C801}1132C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x80000000000000007998658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.055{3BF36828-EBA4-60DD-7E02-00000000C801}1132C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007998657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.055{3BF36828-EBA4-60DD-7E02-00000000C801}1132C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x80000000000000007998656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.055{3BF36828-EBA4-60DD-7E02-00000000C801}1132C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.4402 (rs1_release.210426-1725)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=DCB0FEE21129CF5397BBB8060CC5F62C,SHA256=89A6859022294A24D5253F4206FD49A45A1DEF34ACC894BF94CA0203DAE81623,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x80000000000000007998655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.055{3BF36828-EBA4-60DD-7E02-00000000C801}1132C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x80000000000000007998654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.055{3BF36828-EBA4-60DD-7E02-00000000C801}1132C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=5B28CA0CDE72EA21C402B62DDA249256,SHA256=8E46588F0A51745F89CB6C3011B227BE504D9B9D14FF33910DF57F4EDF15ED9A,IMPHASH=2ED99A476E2DEFB78DF894322CB4A549trueMicrosoft WindowsValid 734700x80000000000000007998653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.039{3BF36828-EBA4-60DD-7E02-00000000C801}1132C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0,IMPHASH=2C980A4DA7C717CC670CB9E1D2C4D733trueMicrosoft WindowsValid 10341000x80000000000000007998652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.055{3BF36828-EBA4-60DD-7E02-00000000C801}11323932C:\Windows\system32\conhost.exe{3BF36828-EBA4-60DD-7D02-00000000C801}3512C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.055{3BF36828-EBA4-60DD-7E02-00000000C801}1132C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x80000000000000007998650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.055{3BF36828-EBA4-60DD-7E02-00000000C801}1132C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007998649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.055{3BF36828-EBA4-60DD-7E02-00000000C801}1132C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x80000000000000007998648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.055{3BF36828-EBA4-60DD-7E02-00000000C801}1132C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007998647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.055{3BF36828-EBA4-60DD-7E02-00000000C801}1132C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007998646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.055{3BF36828-EBA4-60DD-7E02-00000000C801}1132C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x80000000000000007998645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.055{3BF36828-EBA4-60DD-7E02-00000000C801}1132C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007998644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.055{3BF36828-EBA4-60DD-7E02-00000000C801}1132C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007998643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.055{3BF36828-EBA4-60DD-7E02-00000000C801}1132C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007998642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.055{3BF36828-EBA4-60DD-7E02-00000000C801}1132C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007998641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.055{3BF36828-EBA4-60DD-7E02-00000000C801}1132C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007998640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.055{3BF36828-EBA4-60DD-7E02-00000000C801}1132C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007998639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.039{3BF36828-EBA4-60DD-7D02-00000000C801}3512C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37AtrueMicrosoft WindowsValid 734700x80000000000000007998638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.055{3BF36828-EBA4-60DD-7E02-00000000C801}1132C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007998637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.055{3BF36828-EBA4-60DD-7E02-00000000C801}1132C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007998636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.039{3BF36828-EBA4-60DD-7E02-00000000C801}1132C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x80000000000000007998635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.039{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EBA4-60DD-7E02-00000000C801}1132C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000007998634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.039{3BF36828-EBA4-60DD-7E02-00000000C801}1132C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007998633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.039{3BF36828-EBA4-60DD-7E02-00000000C801}1132C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007998632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.039{3BF36828-EBA4-60DD-7E02-00000000C801}1132C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007998631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.039{3BF36828-EBA4-60DD-7D02-00000000C801}3512C:\Windows\System32\cmd.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007998630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.039{3BF36828-EBA4-60DD-7D02-00000000C801}3512C:\Windows\System32\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007998629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.039{3BF36828-EBA4-60DD-7D02-00000000C801}3512C:\Windows\System32\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007998628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.039{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.039{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.039{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.039{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.039{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EBA4-60DD-7D02-00000000C801}3512C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007998623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.039{3BF36828-EB54-60DD-6302-00000000C801}19921856C:\Windows\System32\rundll32.exe{3BF36828-EBA4-60DD-7D02-00000000C801}3512C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+5fc62|C:\Windows\System32\KERNELBASE.dll+5f783|C:\Windows\System32\advapi32.dll+2deef|UNKNOWN(00000192D066AF31) 154100x80000000000000007998622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.044{3BF36828-EBA4-60DD-7D02-00000000C801}3512C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exerundll32.exe 734700x80000000000000007998621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.039{3BF36828-EB54-60DD-6302-00000000C801}1992C:\Windows\System32\rundll32.exeC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FE,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 23542300x800000000000000015901765Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:56.546{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=984BA12B91FC8C86703AF40E0BE726BC,SHA256=507A8AF273B3DCF8E640F92D370144E38BDF8A06E70D7EF9BC82B8A22574B07E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.821{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52468542E3AD0CE20B50876AC5C16FF5,SHA256=346659C5E8C1A025ED09084039BFB74BF2DBB6AD3CA995A3F83B8FA7B641A4AD,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007998696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.586{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Windows\System32\whoami.exeC:\Windows\System32\authz.dll10.0.14393.1737 (rs1_release_inmarket.170914-1249)Authorization FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationauthz.dllMD5=6BAADF6A3E985DE5AB6FDA778E18F1A5,SHA256=8FD060B0F29A1FB23C3D1F389C22EC067247F1E457F331D2B15AE44323ECB8D0,IMPHASH=720B221BA6A01692F2370B4CCC197970trueMicrosoft WindowsValid 734700x80000000000000007998695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.586{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Windows\System32\whoami.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007998694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.586{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Windows\System32\whoami.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007998693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.586{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Windows\System32\whoami.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007998692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.586{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Windows\System32\whoami.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007998691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.586{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Windows\System32\whoami.exeC:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exeMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9trueMicrosoft WindowsValid 734700x80000000000000007998690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.586{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Windows\System32\whoami.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x80000000000000007998689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.586{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Windows\System32\whoami.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007998688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.586{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Windows\System32\whoami.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007998687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.586{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Windows\System32\whoami.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007998686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.586{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Windows\System32\whoami.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x80000000000000007998685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.586{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Windows\System32\whoami.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007998684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.586{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Windows\System32\whoami.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007998683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.586{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Windows\System32\whoami.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007998682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.586{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Windows\System32\whoami.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007998681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.586{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Windows\System32\whoami.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007998680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.586{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Windows\System32\whoami.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007998679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.586{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Windows\System32\whoami.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007998678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.586{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Windows\System32\whoami.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007998677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.586{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Windows\System32\whoami.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007998676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.586{3BF36828-EBA4-60DD-7E02-00000000C801}11323932C:\Windows\system32\conhost.exe{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.586{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Windows\System32\whoami.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007998674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.586{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Windows\System32\whoami.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007998673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.586{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Windows\System32\whoami.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007998672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.586{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.586{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.586{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.586{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.586{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007998667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.586{3BF36828-EBA4-60DD-7D02-00000000C801}35122536C:\Windows\system32\cmd.exe{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007998666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:57.589{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exewhoamiC:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{3BF36828-EBA4-60DD-7D02-00000000C801}3512C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe 23542300x800000000000000015901766Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:57.624{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FE5E4FCCEDA88D72A3701241E6A788E,SHA256=ACB0B29D6AD2F531124AE043A0449F536311AB7A7715DE7FDF4EE3A165FAB6A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:58.508{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC327430339E5D3874D2577C788CBD99,SHA256=CFD8A23AD44F66F8064FAF3AAFAD4193DA13F7000838917BD9EA9A31C0E1E52A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901767Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:58.640{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C34CD9EE3C1004C5C5EC69169812554,SHA256=7B8EF1A22B1BC15BF2717E87780DB6F12F39ECF9F3545A59E60E68F913F71406,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007998700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:56.451{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61094-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007998699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:21:59.227{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8115585CF6E2DD6B6FD8E79B35BFB62F,SHA256=64B45B57A54461A49410B600D0545812D048909A83B827878EB9B99EAF9D20F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901768Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:59.671{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4E938F4A22E777E5BE2B1208845297,SHA256=3D187DB09A65A76A95E93A33BDCAD548958AD6875FFF5A618DEF6A34355F64DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007998704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:00.837{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1600-00000000C801}1320C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:00.837{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1600-00000000C801}1320C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:00.837{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1600-00000000C801}1320C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007998701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:00.587{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FF83C596B0717CFE4120B8D989054C3,SHA256=86FFAA8C01EDC17C14D56F48D6D60B02876A4B3031D70E27E3EA2C8D3CF340C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901769Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:00.702{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03EDFCDAC9C0B037BB32C942B89E9872,SHA256=A82638E0A2B53CB81E8CFD9DD29EABBA8C14D95EF02CBCC1C27D930B59FDCF03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901771Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:01.702{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE2EA078D5FB2FF7A55BAC865DF30FD,SHA256=5BA67BAC205B10B59C69770E4BEE3C9CBB9F377F32F40DA13A875DA6C1CDFE4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901770Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:21:59.451{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52117-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007998705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:02.007{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07C529D56E02D19C75E69780FCDA5159,SHA256=76384CAF7E52E06DD9345E820812FB5F8469D45CC15C6BA10B6E9CDCB2C69917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901772Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:02.734{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A43E6F7136393ADA87F4B98D41F7A61,SHA256=B250BD572EA9248056972728B4CDC44034A6632318C16DD532D5DC43492E7B59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:03.369{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34785521DE833D6062C87037BC741374,SHA256=CB73B15050C2FFBEA58A2F8F55EEA2B15CFDC526F8EE548844A4F2CF7EDE18E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901773Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:03.749{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=178DFD23C49977780AA3B518FB86BA76,SHA256=1E63465AFDA40B888551A18A61D70A79CC00B29356E799739F590063E00B9DAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:04.744{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F6B4D26A48C49FECC22754D8F59744A,SHA256=9195188FC6A99368E4C4E2E974F600A463BF6D03E44F705485AC646479E73A72,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007998707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:02.359{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61095-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901774Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:04.765{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA497FD611FE71F8F8380242D77645C5,SHA256=5F0FF365FA50652711FFBBE0702858736C43DC7104EDD58CC10831B7881163E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901775Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:05.765{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C7554BBDB78931072FD6F7AD2ADAC38,SHA256=85E6BA10B2C0C01E302B2A4ABFDE7EB6A5A1970F66903B04856176937839801F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:06.103{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=301B411C1878829DDEF092617668C28F,SHA256=FB1CA9B025FDF725E0665190B162F7AD881E5803142A3031E56D5BAED93172AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901776Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:06.765{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5830868DDDDE65A5426A9F6525A5F01,SHA256=26FF6148EFB390EC6E89274E58772783D8883EF78349C2A7CCACAA754DA09EF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:07.478{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20C332CE4A17E171C18C597147DC39DE,SHA256=B82E6BA79B9D254130FCDEC63E7D19C7EB06FACA9CF235DBF5DDB5DD7F82B800,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007998710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:07.478{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC2AFA666170FA652DD7EFB19B11C39E,SHA256=2B44CE85ACA02994AABDD20F69B82BFD18E32E7B5F133A5188C5DF812ACE3370,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015901778Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:04.508{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52118-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901777Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:07.766{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC73088D91FD893CFEA4326C85F7B940,SHA256=02D01DC3CDAA7B7EF77B90574BE2573B4D9542BE9887CB59A036EAB001B20E11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901779Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:08.781{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D733E4C1E1B33CBA45C373C04E4BA40,SHA256=710077823552FFEB62E3FF80E947D62622901D2F3546B43AC6DC2C3FE026E0A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901780Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:09.783{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25AE77FAE9656F5FA5E26477A8F939D6,SHA256=175EBAAD59050ADEC0E0A7B7EB383EF6E3DADE256290C48BA4F0B0694AB1FA6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007998713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:07.391{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61096-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007998712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:10.495{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7958A6DDBA4FBF6980AA3F8B79F71BEF,SHA256=C7F3CAC1C9529FE1C18DE387C175C253AF559CCDBFD6CDE78C6AAA88AD1266EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901781Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:10.815{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8DAD7B7E25FCB5A2CAAE86D5A990AB2,SHA256=5A77E4D07047378503C5DDDAF284FF89700B39397328986F9E7350A1F09DF762,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:11.870{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAD3D90F76C77E67BA3349BDE588864B,SHA256=C619266005E4A3D2F9B25BCB50B1E2661FCE20204A4D4CC69D6A35E785A43CDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015901783Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:09.527{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52119-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901782Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:11.846{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE3400574CD68EB9798193B45A474FEC,SHA256=8461BE02BB7B70349E028D9B130333931FBDD506D4FEC3C1E7441DC9E1C34B82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901784Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:12.893{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=374E8743158B45247104859DDCF34567,SHA256=1D28EAEDEA112F926ECD6C7CDDC0F1F78F57591DAD5B1824582B5478937A4A4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007998717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:10.860{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61097-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007998716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:10.860{3BF36828-DD1D-60DD-2F00-00000000C801}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61097-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x80000000000000007998715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:13.245{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CC965E00854B838310AB985C9DE4798,SHA256=2669BCD8EAE44013E766AA64A662BB1997A382C91EE37F492564C91673473C64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901785Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:13.893{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C0B7902684697AA633C49D87657872,SHA256=1CF43851800A0DB9954F230EE547D163C437A6464615338DC37848170AB90355,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:14.604{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71CA2001E5B5C1E3766BFD4C37A100F4,SHA256=113EE18C8A4FF18466B9FA51B783998F76050D95736C396EA54DE74679DF855E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901786Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:14.909{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9F340203D83E39377C6BD62904FF415,SHA256=B81C4A182F290FF4F10299F22C18597B4C51F4594D02835239E5731AA15E8B55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:15.979{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=103163A43FB584F8137B909A5C681E2A,SHA256=83BFD169CC602DF1F8BDE657B4C2CE0D9F6E6557D2E14CD4F64C76BD8FE60932,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007998719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:13.313{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61098-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901787Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:15.924{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22370579A31D97ABA6A3A99F1CA16A61,SHA256=6D0D810E1D75CC958340EDA10636E1E50A58B5FA98CC40FDCEA6AD2953897058,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901788Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:16.971{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=033F3E92A3A802B76190B6DDC03397DC,SHA256=55257E3890B5B1EF4524C9BB8D3F7F05C89D434E07CB5E163F0C60BA1BFF6FE8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:17.354{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C8180831F601745E45A36D43E1B3887,SHA256=AF1705D9CC68D6BF16737978BB8CE3FA655805DDFF0B43E7550B5DC837CCF5C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015901789Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:15.543{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52120-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000007998774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.838{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007998773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.838{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007998772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.838{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007998771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.729{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007998770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.729{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007998769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.729{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007998768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.729{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007998767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.729{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007998766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.729{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007998765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.729{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007998764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.729{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007998763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.729{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007998762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.729{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007998761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.729{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007998760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007998759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007998758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007998757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007998756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007998755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007998754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007998753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007998752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007998751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007998750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007998749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007998748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007998747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007998746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 23542300x80000000000000007998745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24FDD6B6750A195CB31703A200124AF0,SHA256=C7A06EEEDA8E2C632AB972995AA078C5286EF9ECF9ACEE853BBE908A90A02F3A,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007998744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007998743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007998742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007998741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007998740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007998739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007998738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007998737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007998736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000007998735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007998734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007998732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007998731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007998730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x80000000000000007998729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007998724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007998723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.716{3BF36828-EBBA-60DD-8002-00000000C801}2084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007998722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.713{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=671774A4917CED75A6E16B373E51806E,SHA256=F1B952F41F4F552397D49E75B7B4B8169FC73191F2F8377D76D95ECF76B54E0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901790Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:18.002{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04EC5DA3DC45CDD698A2CD65F88EB297,SHA256=78F4569D0B63A0768C4A2AA65F63206AC9B9CFFE7B81901027AA20980D469E11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007998825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.635{3BF36828-EBBB-60DD-8102-00000000C801}23764228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.635{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007998823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.635{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007998822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007998821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007998820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007998819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007998818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007998817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007998816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007998815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007998814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007998813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007998812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007998811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007998810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007998809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007998808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007998807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007998806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007998805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007998804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007998803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007998802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007998801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007998800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007998799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007998798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007998797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007998796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007998795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007998794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007998793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007998792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007998791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007998790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007998789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.526{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007998788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.510{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007998787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.510{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007998786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.510{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.510{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007998784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.510{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007998783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.510{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007998782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.510{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.510{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x80000000000000007998780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.510{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.510{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.510{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.510{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007998776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.510{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007998775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:19.403{3BF36828-EBBB-60DD-8102-00000000C801}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901791Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:19.018{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E8F1A81DD249090CBE062787793A093,SHA256=A9306B0F6DDAF3366A4DC9767C3AE9C0F509C4F2EB2F51189876EDB076F1B331,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007998828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:18.360{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61099-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007998827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:20.760{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA6E51CDF5B5835B7BCAA127D17327C,SHA256=6A6A5A14BA2F9F4D0FFF90D81FC93C28C136568C47223CCF3D77A1A5228AD656,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007998826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:20.088{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=824FF3FD5972FE0D3805AC31500CA66E,SHA256=D4677A6DF0EC3A7E6A35ED35FF5B0938F188DB644BE7F8B231B456B857162F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901792Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:20.096{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6789C5F22B06AB92D7ED8644A880C4D3,SHA256=8A76CD4800E7141F74D5FFAD0195F17E625089225BDEA6E00EE95F85A24891A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:21.448{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C4519144F36D6EAE02CF4C740EC8D47,SHA256=3C768486689EDCE7386C97D2E34055AE6E7BCD29FA0BCB3FD264B6C67FA08069,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007998829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:21.229{3BF36828-DD1D-60DD-3000-00000000C801}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901793Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:21.112{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=520E8E8AA47EBF590DD46818759C797A,SHA256=633A1C17C045D98C7BF9A08658BE3A293B38A185A8FF504EFA928E8904787D3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:22.885{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D6313FB6DB0465E085F5CC679851C17,SHA256=06F6C01269025C59415CF303624654323D194CEBD162F8E181680648D85427FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901794Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:22.127{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C3A0BFEBD3DDB7EA3257CA894E91D8D,SHA256=B495E77EFB97DA4463BE9E78F9E5771697B92EB4E12079E74FF9037840300586,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007998832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:20.422{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61100-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015901795Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:23.143{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB6A1CEA814758D3D16C4B8D6252F5FB,SHA256=4A5BFAC5745185F407B8928FFF7EC8706F3012544A3B4B183DD0D444984DC3ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:24.323{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC6CBFBCDE2AD12AE9F2596EF6428548,SHA256=5C4A978094BC9E3094CC7EE58B8E8A93F33F7D69EF9E07B1F028A56A44843EDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015901797Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:21.449{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52121-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901796Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:24.159{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=756E9455570BE7B39235A1935E3D8D09,SHA256=7E07323DB09FB5278B8ED9A0D59ACC6D6FE80C513FEFEC6CF503ABEFF1631E72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007998834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:25.697{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DF2E8C2FFD949DEC3A3025E087D7290,SHA256=DE41CECB166F535828036B5B7E21ADA80FB138B20A3E76960B8854864A17E284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901798Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:25.174{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=956C2A9BC51612B60C441FA50B36F094,SHA256=82D0D6602E934114B3F0F73277BD7C14C72E90EF8F2B0A9ADAD54AF7B5E3887D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007998886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:24.328{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61101-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000007998885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.494{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007998884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.494{3BF36828-EBC2-60DD-8202-00000000C801}7041572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.494{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007998882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.494{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007998881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.385{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007998880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.385{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007998879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.385{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007998878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.385{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007998877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.385{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007998876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.385{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007998875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.385{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007998874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.385{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007998873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007998872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007998871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007998870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007998869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007998868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007998867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007998866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007998865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007998864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007998863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007998862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007998861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007998860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007998859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007998858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007998857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007998856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007998855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007998854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007998853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007998852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007998851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007998850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007998849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007998848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007998847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007998846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007998844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007998843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007998842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007998841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007998836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.369{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007998835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:26.372{3BF36828-EBC2-60DD-8202-00000000C801}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901799Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:26.190{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=755EAC7BBC61677A1876AD16BB01EB3F,SHA256=38B654BEF240C75BB2C2AC71CE11DAC35C0C6E4D17CF3D231346823FB53D491A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007998989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.854{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007998988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.854{3BF36828-EBC3-60DD-8402-00000000C801}9722892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.854{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007998986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.854{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007998985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.744{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007998984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.744{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007998983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.744{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007998982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.744{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007998981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.744{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007998980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.744{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007998979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.744{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007998978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.744{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007998977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007998976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007998975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007998974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007998973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007998972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007998971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007998970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007998969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007998968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007998967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007998966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007998965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007998964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007998963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007998962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007998961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007998960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007998959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007998958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007998957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007998956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007998955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007998954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007998953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007998952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007998951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007998950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007998948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007998947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007998946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007998945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007998940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.729{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007998939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.731{3BF36828-EBC3-60DD-8402-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007998938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.182{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007998937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.182{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007998936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.182{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007998935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.072{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007998934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.072{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007998933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.072{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007998932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.072{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007998931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.072{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007998930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.072{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007998929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.072{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007998928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007998927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007998926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007998925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007998924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 23542300x80000000000000007998923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0631701FAE7260E50FE27CB49C86DA7F,SHA256=C8643738682A3C67B4D3CA7E9EAC3CD3BB8DE427C4D99348B459E0E7D3AC3215,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007998922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007998921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000007998920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007998919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007998918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007998917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007998916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007998915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007998914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007998913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007998912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007998911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007998910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007998909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007998908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007998907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007998906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007998905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007998904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007998903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007998902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007998901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007998900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007998899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007998898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007998897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007998896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007998895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007998894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x80000000000000007998893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007998888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.057{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007998887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:27.058{3BF36828-EBC3-60DD-8302-00000000C801}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901800Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:27.205{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88D37E436CA465D11419348824C8C7B2,SHA256=39CD1A66FDDF3413D3D89FC6C3F17C5041547E4B976BD2BB9467E9843DF7E4E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007999042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.551{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007999041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.551{3BF36828-EBC4-60DD-8502-00000000C801}5084596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007999040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.551{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007999039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.551{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007999038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.441{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007999037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.441{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007999036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.441{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007999035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.441{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007999034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.441{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007999033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.441{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007999032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.441{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007999031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.441{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007999030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007999029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007999028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007999027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 23542300x80000000000000007999026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2694139191B01A687CED20801B4601AB,SHA256=6607543BC41E5B14F4FF78825876815C165A6988D82C38B4BB2970EE3226C4A0,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007999025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007999024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007999023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007999022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007999021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007999020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007999019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007999018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007999017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007999016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007999015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007999014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007999013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007999012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007999011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007999010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007999009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007999008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007999007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007999006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007999005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007999004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007999003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007999002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007999001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007999000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007998999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007998998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007998997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x80000000000000007998996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007998992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007998991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.426{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007998990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:28.428{3BF36828-EBC4-60DD-8502-00000000C801}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901803Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:28.793{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901802Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:26.449{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52122-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901801Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:28.214{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD3F5DF3C3108B2AE7DFC545DA35874D,SHA256=548753ABF216EB5C66E788A14912F68F2B7D0AC77A73EC9B4DB54810F11F467D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.832{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57041E74F7CFACC857EC6F41CD218F24,SHA256=9A9F7C510A41A9D0C800AC7E74D3063D124D25F9A2AFA1C0EF9F0D39D8EAAE3D,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007999099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.222{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007999098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.222{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007999097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.222{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007999096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.113{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007999095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.113{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007999094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.113{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007999093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.113{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007999092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.113{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007999091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.113{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007999090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.113{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007999089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.113{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007999088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007999087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007999086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007999085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007999084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 23542300x80000000000000007999083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=121A1FF5ADD3FF35ACA2B2F1532400A0,SHA256=51485DBA3BCAFE7B6EABBEBE9ED8944833264B18419EF5083692BA240292E7E9,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007999082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007999081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007999080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007999079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007999078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007999077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007999076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007999075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007999074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007999073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007999072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007999071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 23542300x80000000000000007999070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A4B5CBB7D41A52554E885A3C69BBA07,SHA256=2CA7A66336625F49A70FB32AF878BDA95D0ACD801D9ACFE223C93E90C3E43641,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007999069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007999068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007999067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007999066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007999065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007999064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007999063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007999062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007999061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007999060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007999059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007999058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007999057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007999056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007999055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x80000000000000007999054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007999053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007999052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007999051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007999050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007999049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x80000000000000007999048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007999044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.097{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007999043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:29.100{3BF36828-EBC5-60DD-8602-00000000C801}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901804Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:29.261{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9670C3699BBDE35ED3725BBB1AC8FE5,SHA256=37813EBDBA612E9D283E13E709652283ADD4029253CBD7FFF72FEA63229CE0C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:30.504{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3820C64EBA57C8916A2B39AB79D06BBC,SHA256=92223BE862D6F511258B67E489CFEC6F0E1B2FC15C4A3A0D420EBD1AA6A40BF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015901806Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:28.083{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52123-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015901805Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:30.293{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F153129B7F4472E13CE89A0A32D540,SHA256=39D534C070BC6CD049F288671559DD454C808BE669A7AEC57865E1141BB83971,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:31.269{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F606D000D80A658CD4E75A9B18A7B8,SHA256=0E05F23BE536E83F84F8841116354B505F7E143F7DCD7D0812EF3234C6CB0C8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901807Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:31.293{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4774E311EF7A797B460D954855F93D8A,SHA256=92C281B7B8044A794B984DCFF4FCB42E9D0FE93D1827846753D23025083D46F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:32.754{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3658CC0D1BB6361F402E9F2EBE18EB2E,SHA256=7EE2174BC284035DE089D427B126548963B4E838B25A69695B6D3075164AB469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901808Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:32.293{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F20D5D852D4B25460023FB8FD6EC1949,SHA256=ED193CD1AD8217E4DAA69CB1920EA1EBB8B58FE9BE9E69A3D037A99583D2A8D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007999104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:30.291{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61102-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901809Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:33.308{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4100B9BE11B80D118CEC73CD2BACA6F,SHA256=EB26AD73D7575DCE31539893F3F371F82AC03189FA55815EB7528F02C88AA32B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:34.175{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978FA3DFD1F3972EC29DC4B4082F2CD8,SHA256=6A06E08F59162EDB99DE74B59BA61024CC7D2F7F2877ADE37698F42C0D9C6027,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015901811Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:32.442{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52124-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901810Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:34.324{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F9C22BF69F6455D42DB709BACA9D0B,SHA256=F54CD2793B363B2E42E905159A17AC88B814FE54C9CA9AF8D328BE0A3D16A542,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:35.550{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=087A9BA2028B418F3C290D10410A1A0F,SHA256=9DD326548014DA67A300651E32321DBA1E13B2126A0948FD513C27854D22305E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901812Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:35.339{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF791428DE92AFA11DE23C469968E567,SHA256=F45E7400AB637F7907868822765CCD466C78FC6E44973DE3BAF9C7D307D1173E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:36.910{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40BC6ABCAFC5DFE8B0AC3A7139531AFF,SHA256=3558BCBB50768EFD7E91FD8C23212D0C7126B6CB6662B0A009EA9221EDE04936,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901813Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:36.355{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40C517CBEB5E0753A8E2DD32A4A0AC18,SHA256=7F5E07355ACAED5E9808FDD2EEA4F08BC969CF28D4617EDED69BF84374DCCD12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901814Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:37.386{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFDCAA599437B4D222CE369D51E35C35,SHA256=92FCDD16C069E2ED9AB05C3A5143D0071672B1520580CA1564903646EC96097D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007999109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:35.322{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61103-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007999108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:38.285{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C08A01B918E8EB1244C0988047020411,SHA256=3D9F52E1A2DBD1C30FBB769E947E0AF6415323DAC68A4AC111360B543344DF1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901815Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:38.418{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D722021FC7464145E14FC00DF9BA68,SHA256=8A8AE74FFB6947D3964359E36DF053B10300E7734F490662D110EE021E1398D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901817Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:37.473{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52125-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901816Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:39.449{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0487CE9E86614BAABC7D0DC7E1299B3E,SHA256=CA3559605C47A800AE15BCA4D37A364E3732D3CB10CC971AF9B771FEE3CA3D10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:40.316{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB4AEFD9B2A6D5F8E5CD61805777E8BC,SHA256=4F49B5E735DBEDB40EF7493CFF2F442C6A2EF18341BDD98B35C202E34ACD3EFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007999110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:40.316{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEC125F8261C7C9FF8D2D5C64EFC3053,SHA256=6FB252BB06B735C4DB491509AA8F902431C8B85F82B8909E70F949B1548183BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901818Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:40.496{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02D4E75771C2C41F7C65C54F39CF81A6,SHA256=3C08BAED554C8C74D33D4680BA8D28EF14927320DCEDB82AB036314F454B5431,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:41.332{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF8DE5492BEA08F671C04ED525CA8B5,SHA256=03251D59282973CCED9B49BA6AEE868A5A41139E76B3B49C491138E55A999B9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901819Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:41.511{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CEFDB1E543CF289FB348A113D41014D,SHA256=AA176A52CC4115082E9DE2E8F6624D7269F10E744F139D3FE4D3583ABA5B47D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:42.660{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC09BA340C0AD6115FB857BCF8B7EC6,SHA256=DADE3B66040079C27575D47A8EA540FE8DDCC89C007E7825E9084FD426AE9E9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007999113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:42.503{3BF36828-DD0D-60DD-1200-00000000C801}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0449616692F3D3F1FC174B02DC46FABD,SHA256=F6CF94B1A51A11666D900DC7E4856C13C3FF58867BD14C1A12289736AF5779A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015901833Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:42.793{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EBD2-60DD-942A-00000000C701}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901832Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:42.793{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901831Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:42.793{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901830Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:42.793{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901829Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:42.793{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901828Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:42.793{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901827Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:42.793{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901826Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:42.793{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901825Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:42.793{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901824Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:42.793{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901823Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:42.793{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-EBD2-60DD-942A-00000000C701}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901822Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:42.793{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EBD2-60DD-942A-00000000C701}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901821Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:42.793{B81B27B7-EBD2-60DD-942A-00000000C701}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901820Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:42.543{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6385D533F1D38BA8A4497E5EC875760,SHA256=B0040E089B6DC423BDDDF7A9CEA2D9027A51B25EE5E69940627B6BA9D35660FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007999115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:40.447{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61104-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901849Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:43.808{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8C25E7A4BFC3E616BF3B601F39BEDFE,SHA256=67165592B2F1148D4B13C3C82AAD9BA8F0156A3712CE0F8F3BF020D49D95E438,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901848Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:43.808{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=390436ADCC7EF8CFF57DFE8C19413CFC,SHA256=D8A62880F25B67B605A552FA071C443C8EE570E4AF08D0E47A6300AC8D21528D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901847Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:43.699{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70E6E71A542A7ADA4449F9BCD5C9C084,SHA256=31030B90141E56B14CB0D00057EC097F26913D0745E2E9BC4805D85962FAFCE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015901846Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:43.465{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EBD3-60DD-952A-00000000C701}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901845Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:43.465{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901844Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:43.465{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901843Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:43.465{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901842Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:43.465{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901841Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:43.465{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901840Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:43.465{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901839Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:43.465{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901838Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:43.465{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901837Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:43.465{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901836Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:43.465{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-EBD3-60DD-952A-00000000C701}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901835Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:43.465{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EBD3-60DD-952A-00000000C701}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901834Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:43.465{B81B27B7-EBD3-60DD-952A-00000000C701}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007999117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:44.769{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=385630C8C8FD57F3C7B3D63BF6224A64,SHA256=74726362874A7AC92DE4E6A8AC371D2F319DA3218D80C25AAFAAA8B8E290EA06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007999116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:44.081{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13B9D5525FAB8282C1F649FFB5F30AD7,SHA256=FA9012606B547F42C958ACA22B21A90ED3AC70544B6F2AD126960FA2D41B1EBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901864Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:44.699{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83591D3C0BF470247DB701CC2728D00,SHA256=975C30BBC86F6943D0D1C60A21B3EFCBAFBA84665B0C098D227A243A8FD894A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015901863Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:44.277{B81B27B7-EBD4-60DD-962A-00000000C701}2744808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901862Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:44.136{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EBD4-60DD-962A-00000000C701}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901861Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:44.136{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901860Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:44.136{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901859Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:44.136{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901858Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:44.136{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901857Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:44.136{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901856Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:44.136{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901855Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:44.136{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901854Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:44.136{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901853Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:44.136{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901852Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:44.136{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-EBD4-60DD-962A-00000000C701}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901851Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:44.136{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EBD4-60DD-962A-00000000C701}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901850Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:44.137{B81B27B7-EBD4-60DD-962A-00000000C701}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901867Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:45.715{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=541BF801091F3C4EBC86F442B595F323,SHA256=D2C74DDFA070C712FDC138A0198E41AD4FA0E23CA1A91F14B7C6B245816F75A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901866Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:42.520{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52126-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901865Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:45.355{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8C25E7A4BFC3E616BF3B601F39BEDFE,SHA256=67165592B2F1148D4B13C3C82AAD9BA8F0156A3712CE0F8F3BF020D49D95E438,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:46.128{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83F6F86F0E9ADC50F46F4CB710A7A9EF,SHA256=3FCE2023B1BC93D55A917E139C45DAE81771F199EA1ABED41518333302F04B32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901868Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:46.730{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D08EDFD83E1E2B1A0FD62640976010,SHA256=FCEE28A3FDBD809AF733D346BE53B5DFC08397E321FAE7D2BBC1451F8FE7FB88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:47.519{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC30B965778D03454E13FD7572732CA7,SHA256=FB84C84F20F1BC49AA3D12AAA69C8B3F4392B4D33E8D36352905C3CBB87FAC76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901883Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:47.746{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F1868AB81646DF5DF2F67A3A416D673,SHA256=4647F5841DC829A26A35B3193FFA29365C98048F85D2A80AF5AFD67908B2BDF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015901882Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:47.480{B81B27B7-EBD7-60DD-972A-00000000C701}36764316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901881Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:47.340{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EBD7-60DD-972A-00000000C701}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901880Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:47.340{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901879Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:47.340{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901878Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:47.340{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901877Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:47.340{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901876Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:47.340{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901875Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:47.340{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901874Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:47.340{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901873Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:47.340{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901872Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:47.340{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901871Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:47.340{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-EBD7-60DD-972A-00000000C701}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901870Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:47.340{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EBD7-60DD-972A-00000000C701}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901869Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:47.340{B81B27B7-EBD7-60DD-972A-00000000C701}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007999122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:48.882{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=871F04C9EB6AB419E684801B23F6A559,SHA256=C30122706B536F38A5139C4455B74B858D26F483EA2FC5939DBFECB5E06D5452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007999121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:48.882{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E25CEEBD50519520A14251B44F65226,SHA256=86DEF7C75F44622BED87DBBC038866CBDE1EF84136360C9DFDDD9579AFF28DC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007999120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:48.882{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9BF2FA2FF36E1320402707789AE07B37,SHA256=D5E8AC6E3DCB884B50814BDEBD9CD3AC38EA816D7EAD56FA0B941EAB28ABC617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901912Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:48.781{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADC085C674883E10560CA047C92C2A58,SHA256=75C207E751666250F950A793026E3DD337388AA136FCFCC81841E5BB7605C6E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015901911Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:48.687{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EBD8-60DD-992A-00000000C701}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901910Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:48.687{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901909Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:48.687{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901908Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:48.687{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901907Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:48.687{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901906Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:48.687{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901905Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:48.687{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901904Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:48.687{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901903Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:48.687{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901902Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:48.687{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901901Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:48.687{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-EBD8-60DD-992A-00000000C701}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901900Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:48.687{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EBD8-60DD-992A-00000000C701}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901899Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:48.688{B81B27B7-EBD8-60DD-992A-00000000C701}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901898Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:48.359{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01BC5BB588CB98F07CA49C8DD796E950,SHA256=52997456C7A5167D711C525EC02640EC6D398974E41A301807D952276F412B12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015901897Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:48.156{B81B27B7-EBD8-60DD-982A-00000000C701}23685304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901896Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:48.015{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EBD8-60DD-982A-00000000C701}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901895Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:48.015{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901894Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:48.015{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901893Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:48.015{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901892Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:48.015{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901891Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:48.015{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901890Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:48.015{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901889Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:48.015{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901888Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:48.015{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901887Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:48.015{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901886Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:48.015{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-EBD8-60DD-982A-00000000C701}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901885Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:48.015{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EBD8-60DD-982A-00000000C701}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901884Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:48.016{B81B27B7-EBD8-60DD-982A-00000000C701}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007999123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:46.321{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61105-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901929Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:49.812{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D78C121D121AE522A715008B123D833,SHA256=F1ABE9AD860066601715714E6E89E53B860899C93C7CC218CB4964C09DDC8537,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901928Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:49.750{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECF382A79465738DCDF1A3EF2B2FDCD6,SHA256=E10C89C225F0B1289D4065C6550407D364FED1AC407803F70BA7E3574480C635,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901927Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:47.524{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52127-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000015901926Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:49.500{B81B27B7-EBD9-60DD-9A2A-00000000C701}60325124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901925Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:49.359{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EBD9-60DD-9A2A-00000000C701}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901924Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:49.359{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901923Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:49.359{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901922Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:49.359{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901921Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:49.359{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901920Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:49.359{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901919Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:49.359{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901918Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:49.359{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901917Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:49.359{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901916Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:49.359{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901915Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:49.359{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-EBD9-60DD-9A2A-00000000C701}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901914Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:49.359{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EBD9-60DD-9A2A-00000000C701}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901913Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:49.360{B81B27B7-EBD9-60DD-9A2A-00000000C701}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007999125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:50.242{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=583C5AB05B5DC004E807202737BD91C2,SHA256=C16DD10676F5C15DD42A696EAF1D7E62E85D360B32903FEF9E44173C27530DA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007999124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:50.242{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=660E11FA093C940BBEB1C7CFDC2A3CCF,SHA256=4672680BCC66192E265277335179742901C87291EC41A514CA00E0BCAFC4B7F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901930Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:50.828{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C19051C36EB84288048F950DC516228E,SHA256=0E4B9D6452DD5299E0BB88B04A1BEB102C2F373D3C3E9D84C7DDB81574419BD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:51.601{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7B0670E504027F25D9BA15DD39CA9B8,SHA256=5E7BC1181901E829228A2EF564E896CA5958CE3E0A8AF6730393C2EE652722AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901931Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:51.844{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF0A8F6AAD5F5CA6AA05D025571AD255,SHA256=94ECE09F087876D2F5B82A108E04262B0BC1235E08D8991E939C255EA74BD7B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.976{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C73DB5B81975717E703F3A91D398C70F,SHA256=B0CDA816FA493EC98FDD8C8C4FCC236153BF33B06212D4AB1942F468284C3949,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007999190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.757{3BF36828-EB64-60DD-7502-00000000C801}3980NT AUTHORITY\SYSTEMC:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\Old\2\UNIDRV.DLLMD5=E436D98FF6EA2DEFCC71561E46718CF8,SHA256=24635AE9BC12B4133CE35EF96CACA51A269ECC320BC1CD9A257417D16959D087,IMPHASH=012DBD89908BD18476361E7B607D0AD9truetrue 23542300x80000000000000007999189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.742{3BF36828-EB64-60DD-7502-00000000C801}3980NT AUTHORITY\SYSTEMC:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\Old\2\evil.dllMD5=2E095DF3D3FC82B6171F548DA0699833,SHA256=4033B2A0206F4B4E915CFB0912954F6C169D2D3545090AA72AEBF6910596F0B8,IMPHASH=22647E5B96F2DE81D003F25D98D7D2DCtruetrue 23542300x80000000000000007999188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.742{3BF36828-EB64-60DD-7502-00000000C801}3980NT AUTHORITY\SYSTEMC:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\Old\1\UNIDRV.DLLMD5=E436D98FF6EA2DEFCC71561E46718CF8,SHA256=24635AE9BC12B4133CE35EF96CACA51A269ECC320BC1CD9A257417D16959D087,IMPHASH=012DBD89908BD18476361E7B607D0AD9truetrue 10341000x80000000000000007999187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.742{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007999186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.742{3BF36828-EB64-60DD-7502-00000000C801}3980NT AUTHORITY\SYSTEMC:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\Old\1\kernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9truetrue 10341000x80000000000000007999185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.726{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+58a7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.726{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.726{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.726{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.726{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.726{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+58a7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.726{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.726{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007999177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.726{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 10341000x80000000000000007999176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.726{3BF36828-DD0C-60DD-0C00-00000000C801}864976C:\Windows\system32\svchost.exe{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007999175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.726{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007999174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.726{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570,IMPHASH=2E790E44628AED89C2CC17E1E4A5CE1CtrueMicrosoft WindowsValid 734700x80000000000000007999173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.726{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 23542300x80000000000000007999172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.726{3BF36828-EB64-60DD-7502-00000000C801}3980NT AUTHORITY\SYSTEMC:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\drivers\x64\3\Old\1\evil.dllMD5=2E095DF3D3FC82B6171F548DA0699833,SHA256=4033B2A0206F4B4E915CFB0912954F6C169D2D3545090AA72AEBF6910596F0B8,IMPHASH=22647E5B96F2DE81D003F25D98D7D2DCtruetrue 734700x80000000000000007999171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.726{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\win32spl.dll10.0.14393.4169 (rs1_release.210107-1130)Client Side Rendering Print ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationwin32spl.dllMD5=C000FFE69C767D54449CF711619B8DFB,SHA256=DE547D157D96DCA1BABF226DE46DAD589FFCE02BF090354D1975C6F87FDDD29B,IMPHASH=9C804F220C58F0D8846B32977062AB6DtrueMicrosoft WindowsValid 734700x80000000000000007999170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.710{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\dsrole.dll10.0.14393.0 (rs1_release.160715-1616)DS Setup Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationDSROLE.DLLMD5=2A319EC8DF0FB5C46CF311B9D2B65B1D,SHA256=62B8900EFDF4B30E54E11232A8DA95DBF066DAEFD364A66EB99ADC028A3798F7,IMPHASH=E4AC0A0BD42B7356347D6A1BE150F6A6trueMicrosoft WindowsValid 734700x80000000000000007999169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.710{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\gpapi.dll10.0.14393.3986 (rs1_release.201002-1707)Group Policy Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationgpapi.dllMD5=601EDCF334B3DA561BE85560BFAB4831,SHA256=69422D4F7B2E9673178761052D25718F2F1F1D7D5B0962798ECAC66C123FB207,IMPHASH=54A7A105E11720BE50C587CF0CFA8828trueMicrosoft WindowsValid 734700x80000000000000007999168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.710{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FE,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x80000000000000007999167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.710{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\spool\prtprocs\x64\winprint.dll10.0.14393.4104 (rs1_release.201202-1742)Windows Print Processor DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwinprint.dllMD5=0D14ADC76702690ECF3FBEEB8BD68F2F,SHA256=E1D289EC40D8B5CBABA71A87DD9885CC98FC81D064FD811DAC121D51D0C2C10E,IMPHASH=4A5322FFADCB709210EC79A33718D3F8trueMicrosoft WindowsValid 734700x80000000000000007999166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.710{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\drvstore.dll10.0.14393.2791 (rs1_release.190205-1511)Driver Store APIMicrosoft® Windows® Operating SystemMicrosoft CorporationDRVSTORE.DLLMD5=D0DE1D69FC3F00F65F8D67C31BCC9682,SHA256=F27CEB248FCB3444B850896CB916DACC10BC730E7C2679D2A6C2582CC667F8AD,IMPHASH=AC3F232984E3ABCCF80F1B2A1ACA9991trueMicrosoft WindowsValid 734700x80000000000000007999165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.710{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\atl.dll3.05.2284ATL Module for Windows XP (Unicode)Microsoft (R) Visual C++Microsoft CorporationATL.DLLMD5=C1B73181019C1E1F28F4161B5F198B7F,SHA256=C3678504437D23910C18D3680B05B4E819A2229BDD0E1E0567186C70D814560D,IMPHASH=5500EF6AAEED0FAA2DE0F3B65E67DE20trueMicrosoft WindowsValid 734700x80000000000000007999164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.710{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\fdPnp.dll10.0.14393.4169 (rs1_release.210107-1130)Pnp Provider DllMicrosoft® Windows® Operating SystemMicrosoft CorporationfdPnp.dllMD5=23D6408C20F4A0047E5F586354492C2F,SHA256=49F69E54AA909ECFD8A463B102BE708B496AD9A1EF73BAD2C10383E234AA75B1,IMPHASH=CE603E72BE35448111FFAD017648951FtrueMicrosoft WindowsValid 734700x80000000000000007999163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.710{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8,IMPHASH=B53F82B33CA6ABD6251152A46E5FF78CtrueMicrosoft WindowsValid 734700x80000000000000007999162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.710{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\fundisc.dll10.0.14393.0 (rs1_release.160715-1616)Function Discovery DllMicrosoft® Windows® Operating SystemMicrosoft CorporationFunDisc.dllMD5=0F54ABD1EAC74FC00BED394DC7F3F682,SHA256=366EB1FCC88FA18EAFA954FBBB967B0E1383929E2FADBB54ED2174E9B07F0998,IMPHASH=DA6C3183FBFC5FF462CA880F87A5C413trueMicrosoft WindowsValid 734700x80000000000000007999161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.710{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\msxml6.dll6.30.14393.4402MSXML 6.0Microsoft XML Core ServicesMicrosoft CorporationMSXML6.dllMD5=B180CFB17D7039CAC46371B8CA857F22,SHA256=C62664A4AA96626864D394EC99F5562DDC59C1CF4DF57AF8E699079F16A85695,IMPHASH=A74F148CA887740D0E045C70ACC762EBtrueMicrosoft WindowsValid 734700x80000000000000007999160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.710{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x80000000000000007999159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.710{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\fwbase.dll10.0.14393.0 (rs1_release.160715-1616)Firewall Base DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationfwbase.dllMD5=216C0DC7BEBD19C616A7BCE54F57F70C,SHA256=2305E780D161A736DB237727AC78EC1D2462793FD5013D126621B4BBBB16D743,IMPHASH=4D74FD81A888167F0D448CDA56ED51C9trueMicrosoft WindowsValid 734700x80000000000000007999158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\webservices.dll10.0.14393.2312 (rs1_release.180607-1919)Windows Web Services RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationWebServices.dllMD5=3EE43755685D59060FAC0E2F09D67686,SHA256=BF80D9B840C28BC4E8FE9A4E6DBCCCAEE37A108F83428ABA1DD780D5312369D8,IMPHASH=21CAA202FAEFBDF78B727F64E8C79245trueMicrosoft WindowsValid 734700x80000000000000007999157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\FirewallAPI.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Firewall APIMicrosoft® Windows® Operating SystemMicrosoft CorporationFirewallAPI.DLLMD5=C7DD193AFCCF63B97C559993608EDAF0,SHA256=26E7628E9C65352F730F38D7BF32A845CC1CAEEC034152B1CDE85F9B89D1A6DC,IMPHASH=39BEAE1D9F26D2F49E282C68C8644857trueMicrosoft WindowsValid 734700x80000000000000007999156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\deviceassociation.dll10.0.14393.0 (rs1_release.160715-1616)Device Association Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdeviceassociation.dllMD5=68139108F7E1D4327BE76289E14C2159,SHA256=05436A7EE5EE877F3EA6B12604D41EFCE288F093AAEE03A906FB7C9A4A76DFDA,IMPHASH=CA757A840D91610BF593E8A2814EB9B3trueMicrosoft WindowsValid 734700x80000000000000007999155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\WSDApi.dll10.0.14393.4169 (rs1_release.210107-1130)Web Services for Devices API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsdapi.dllMD5=9ED82F0803A7BFDDA1F3923B816B44E0,SHA256=873546DCFF25E8DD3E7B56C1E23BFC6CFF00938245410D07F096C0D7720CD29D,IMPHASH=5F24B36787DB424CE025987AD54CB835trueMicrosoft WindowsValid 734700x80000000000000007999154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\winhttp.dll10.0.14393.4169 (rs1_release.210107-1130)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=24995B62FFC2519B34A2145673BD275F,SHA256=BB7D4DE1BE6111462F65F999A8969DA04113F15A80D534A93D3CCC76A9FE1F22,IMPHASH=F1FC6BF3699C289EBAF914A7771E49CDtrueMicrosoft WindowsValid 734700x80000000000000007999153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\WSDMon.dll10.0.14393.3686 (rs1_release.200504-1524)WSD Printer Port MonitorMicrosoft® Windows® Operating SystemMicrosoft CorporationWsdMon.dllMD5=2A0FE631E3788072815B3D869D6E4807,SHA256=1EB91F04C6A7D3933A7C9FAB875F423BD87F9319D579A3F7E10F5EA964B75394,IMPHASH=1677C9B823A0EB4D16AAD105FF58396DtrueMicrosoft WindowsValid 734700x80000000000000007999152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=D8CD8451D1E194230F18866AD6EFE5E7,SHA256=9977AA1287962035C24DF806DDA67F09FFE9BDF696DBA507D749C624AE1C178D,IMPHASH=EC9695F0DF1F52E9D439A942DBDAA111trueMicrosoft WindowsValid 734700x80000000000000007999151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x80000000000000007999150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007999149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007999148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\usbmon.dll10.0.14393.4169 (rs1_release.210107-1130)Standard Dynamic Printing Port Monitor DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationDynaMon.dllMD5=6C5C4EFF050C5157E37BDE60A2C93DDD,SHA256=A4E0631B667DB3665D9781DC4D20306FFD50FDA03266A2A909CE8244EEBBA7F0,IMPHASH=ACC1B8328E5E4AA73A6376F3B0DE82CBtrueMicrosoft WindowsValid 734700x80000000000000007999147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\wsnmp32.dll10.0.14393.2214 (rs1_release_1.180402-1758)Microsoft WinSNMP v2.0 Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwsnmp32.dllMD5=3D2AA27D9045CF6666C0AEB154F54412,SHA256=7504DFA5299D7E728A19ECC56E1A571A9284942F264560B14F8EBD2C82B82F0E,IMPHASH=6A0DE6511779416C6B1A6AB97E623253trueMicrosoft WindowsValid 734700x80000000000000007999146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\snmpapi.dll10.0.14393.0 (rs1_release.160715-1616)SNMP Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationsnmpapi.dllMD5=6EC20D3BBA11E8E323DD78F3785A1F8C,SHA256=C657506547E02D7466F7556552B94267572C9AD102032563F50F7E9FFE2750A4,IMPHASH=D1AAE745CFBD7B9D86D0C6C959A93E09trueMicrosoft WindowsValid 734700x80000000000000007999145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\tcpmon.dll10.0.14393.3686 (rs1_release.200504-1524)Standard TCP/IP Port Monitor DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationtcpmon.dllMD5=147E359C421C3C3F4F339E6EF4B49FF0,SHA256=92F3647038C6FA3037DB3EA7730F481682413440CCE40D90FC10DED18E0E9D93,IMPHASH=3DB45672BF601A6EB432E665E2BB692FtrueMicrosoft WindowsValid 734700x80000000000000007999144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\PrintIsolationProxy.dll10.0.14393.0 (rs1_release.160715-1616)Print Sandbox COM Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationPrintSandboxProxy.dllMD5=A68307437E8388B73DC7735DFAAE108C,SHA256=D4C201F7FA2527BCB60477E0D43AE3F98103E464EDD94E9AF0BF9DAE707B4071,IMPHASH=C6866B01FC1B5714D1584B223E0831B3trueMicrosoft WindowsValid 734700x80000000000000007999143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000007999142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007999141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007999140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolss.dll10.0.14393.0 (rs1_release.160715-1616)Spooler SubSystem DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationspoolss.dllMD5=871C382EBDE513E3CE2217D687DC2FAE,SHA256=62947AE122A2C8E80B9F9C3C62BC757BF40A52E0913922FDC75D20ACE2001E71,IMPHASH=4B854FB0B00519EA0AB648923C27B591trueMicrosoft WindowsValid 734700x80000000000000007999139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=B80907BCF327C925E7AC990D81A705E6,SHA256=58A71BD4A0DDA6EAE49A50ABF92F73FD1792B218B7F811E06431CEF8EFF77040,IMPHASH=1B1E4C2174456B1956B734A2FE9401EFtrueMicrosoft WindowsValid 734700x80000000000000007999138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007999137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x80000000000000007999136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x80000000000000007999135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FA,IMPHASH=5BAA515B293A764CA06512D078C4E624trueMicrosoft WindowsValid 734700x80000000000000007999134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\localspl.dll10.0.14393.4283 (rs1_release.210303-1802)Local Spooler DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationlocalspl.dllMD5=BA05D6016DE00A037DFA7E2AD1530E1C,SHA256=61EE4D1BC7723485027539FC8AE59E72FF53BE072EA2345141E981877F27805D,IMPHASH=725661AED59B05CF2E13B21F634CB082trueMicrosoft WindowsValid 734700x80000000000000007999133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88ED,IMPHASH=6097EA32A6AE2378711DDF884725A2AFtrueMicrosoft WindowsValid 734700x80000000000000007999132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94C,IMPHASH=98E0DBCEA076EF80E7DE241072E34656trueMicrosoft WindowsValid 734700x80000000000000007999131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1,IMPHASH=77951C1B66390D48C5FC7B47D7C8668AtrueMicrosoft WindowsValid 734700x80000000000000007999130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007999129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6433F8201BFB449DC6B47F6999C2F164,SHA256=06729F1E0A0596620B48B6DC4A2CC9CC5FE55B17BD488C71F7F15AA4262C8C14,IMPHASH=50E2F760F0B39DC72CAD6892FEDF2F27trueMicrosoft WindowsValid 734700x80000000000000007999128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007999127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:52.695{3BF36828-EB64-60DD-7502-00000000C801}3980C:\Windows\System32\spoolsv.exeC:\Windows\System32\clusapi.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Cluster API LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationclusapiMD5=02CE365BB6DD3C57570225AC572A2685,SHA256=218A1D598180A048A0FEB135433B0DD28F5B034AA687602B09018DEB3385F63A,IMPHASH=A18EA9022AC27F1C7E02F74FAE45378EtrueMicrosoft WindowsValid 23542300x800000000000000015901932Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:52.859{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25125880D1070E002DF941A807592CF5,SHA256=5A7197F39CAB823A1515F5C6354EAEB528A9C6B9F096F93A0B47AE5452A8B69D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:53.663{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=572BD27520C8E99941AA0A567A14CFDA,SHA256=94FF2FAC8441C56311E694628F12A4FD6ACB1A3184BC150719FBF73433F9E453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901933Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:53.875{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=704FC8A419A4217B836A44E581CD3697,SHA256=721648664C414850A635E158DB738949B2433EEBDF20C973B6523E6B89E03198,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 22542200x80000000000000007999197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:51.925{3BF36828-EB64-60DD-7502-00000000C801}3980WIN-DC-1280fe80::b574:557a:2d92:ce61;C:\Windows\System32\spoolsv.exe 22542200x80000000000000007999196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:51.925{3BF36828-EB64-60DD-7502-00000000C801}3980WIN-DC-128010.0.1.14;C:\Windows\System32\spoolsv.exe 22542200x80000000000000007999195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:51.896{3BF36828-EB64-60DD-7502-00000000C801}3980WIN-DC-1280fe80::b574:557a:2d92:ce61;::ffff:10.0.1.14;C:\Windows\System32\spoolsv.exe 23542300x80000000000000007999194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:54.335{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E92560E69474E1F661FA873EBC7F8F8,SHA256=DAF27096FDFAE517978ED4019B5B2A7092A9F36ADE3A25BBF55489694AC8A667,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007999193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:51.435{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61106-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000015901935Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:52.540{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52128-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901934Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:54.890{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9478CADB04B2C138C8711D2C1DA0D65,SHA256=8E0B56B77D81B38228577BAB66EA84E9C4D15117CC994781C8D0BDD863F26887,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:55.710{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE84B52FE937D6036D1AB29B2C5FF1F9,SHA256=7EC9369CECF8E53288BFD1843995300203F2FF724CBF85315146E0BDCACF253E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901937Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:55.891{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D320EEC8E1B9A8C623B594C58F420BB9,SHA256=233E8F40E09AB61F43FFF6CD0971657925FF1641A7A87F649D37CBBFF5CE5362,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901936Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:55.484{B81B27B7-880A-60DC-1000-00000000C701}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=534AF47FB905BD60EDAB3B0601271AFB,SHA256=025AC77F59ACA1525FC2E6E0872424215B2C74CD0EA45C6EC2124C5F716998FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901938Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:56.922{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB9A34ADDCAE6C0B36ADD8CBBB270B1C,SHA256=CAAB14E85A612A9C02F05C9EACE018332F40CE9E315E2AF7D59E93F3641A116E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:57.148{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7689B00AAABDC4C43C3E2D38CA9A1F5,SHA256=A40A326778C980E98086E42E05223766D582FFADFD9B06827E87F5EDE94F2A8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901939Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:57.937{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CF7AF9E648E64F6C6F5EB04C8E50E88,SHA256=84AF0DFF8A55AD8264DCD6FA97F8C1F8DDC93415CF09617BABDE687B0930480F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:58.523{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39ABB90C84AD124C42DB15B9AB5B964D,SHA256=F440C9DE96B2C73E10408EF68F79B01180EC38D6A7CE0347B7BB7F58F92E8D6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901940Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:58.953{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15A3C86F4ADC48777EB47FCD4241E616,SHA256=2692355398015419F38CBB7285BB4A9FAA901868E5AA55D5FA7E6078D5D16FAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:59.882{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB5114C340983CCBC5266D937BA603AC,SHA256=5719B49D04F4E886B66B8EDCDAF66DC76096312F7BE7FE54A88F490B040B7B33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007999201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:59.195{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC5A892F24DE20D562B9B8A7E5A402EB,SHA256=7AA867BE200BECFA1891C07CBF85EA6ADCB0D40DB68676F318763FD758106D69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901941Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:59.953{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5593184E8A044621596F2D34BA1B6B5C,SHA256=98031702A061BC0AAE83282CB56D182996CC956A746DDF9656E7974F38529613,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007999203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:22:57.310{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61107-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901943Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:00.969{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19EFFBA5C90F51026E657F5C36737B7D,SHA256=FE7B42F3C30887EE9D785DF735C6763C317D85A232AB807FA7CF082F3F61465D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901942Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:22:58.540{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52129-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007999204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:01.243{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58AF792E173F97A41536B4F9EBBA659C,SHA256=8C181EDC1008426B0B8F949E449C49A1DA548C4CB6447F41CAD87AB481F9D017,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007999209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:02.771{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000007999208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:02.771{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007999207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:02.771{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\drvstore.dll10.0.14393.2791 (rs1_release.190205-1511)Driver Store APIMicrosoft® Windows® Operating SystemMicrosoft CorporationDRVSTORE.DLLMD5=D0DE1D69FC3F00F65F8D67C31BCC9682,SHA256=F27CEB248FCB3444B850896CB916DACC10BC730E7C2679D2A6C2582CC667F8AD,IMPHASH=AC3F232984E3ABCCF80F1B2A1ACA9991trueMicrosoft WindowsValid 734700x80000000000000007999206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:02.771{3BF36828-DD0D-60DD-1300-00000000C801}960C:\Windows\System32\svchost.exeC:\Windows\System32\devinv.dll10.0.19645.1032 (WinBuild.160101.0800)Device Inventory LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinv.dllMD5=8BFD253467CDB3F41ED2A23FE08B361D,SHA256=5A938F1A6D0FF39BE7B5BD88F46988F4CDAA78134E9E22AC02C46EC688819D17,IMPHASH=94EEFF72CC677C4C4124B0B3A85F7825trueMicrosoft WindowsValid 23542300x80000000000000007999205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:02.614{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8A159C95C547AB9E383B621FB178C96,SHA256=024A496C0BAB0C61284AFBF31E2E243585038D97EC2F97881063537D7F906EC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901944Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:02.016{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4413236935C6A8A52344BDF54E602BDD,SHA256=C0213E1CDA3400793756AC3FD20F3262B78A451EDECE8947A7F90C367AC5416B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:03.977{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E59F86952DDEC8057E0C38C54A1F78F,SHA256=BA6B8CD67E1217F5D83275B7AD4999F48CDD7F9AF5B01B288D453AF6F71184F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901945Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:03.047{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AA85F230F7EF3236811B26366C0A162,SHA256=D4B8CFAB502D01D7AC3DD772ABA526FF1EB6ED83724B2AE319DD0A74C92E7902,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901946Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:04.062{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D056734CE66A7E6870DCD7663F03D7B,SHA256=D9CA80B9CA7CE4DE169FB59EE48CBFAB85992BC5DAAF27EFC3BDBDA0AF1055D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:05.352{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58A84927D737940B9179FDB13972BD32,SHA256=18DF2547FBD30A73BE4A33951BC27B0854C24CB8D475B04AD222FBF92EDE88D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007999211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:02.354{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61108-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901947Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:05.125{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B106C7AAF2CCA8BFCB0DAEBB55AD2B2B,SHA256=4B3326AFD72B9E7A985188B00F20531E10BBCA20F97B72676DB61B734A89EDBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:06.727{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0DE966B08ED998C4C3F63924B5A9640,SHA256=E9AAEE6AC0DB6EA8CF6DBBC21E707D158AE0CB4B9169FB76A8198B808B735583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901948Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:06.125{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=352DB074B569D2D7CAC0605F14D4C66E,SHA256=504E60BA2D08D02F71B42C76E3145A67A7835D62642951214AE9D462DA010EB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901950Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:07.141{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85C20B55AE4C1987A27FF361E9B8824E,SHA256=270B94537741912DB840FB16A8DA217E7B3272250002403863B0002BD4BE8418,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901949Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:04.430{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52130-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007999215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:08.085{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71DDC52751672285C6825389A610974D,SHA256=597936DEF8BD3CE2E47682D3D9709332D35CE24874EBCE9D012EFC5350446BE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007999214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:08.085{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=071D728D607BBC589D36485BBBC52541,SHA256=637F14C2AF71F0478DD221CBB19DDC19D2DB7681B0FFA23B3E6F8A6BC3E9BA21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901951Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:08.157{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C91EC6133791E37885C96BFE74182BE9,SHA256=8B9CD48DDB12ECF8931099A36A143989DCB5E7AA1C5E4CE49486D397D0AE8C51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:09.460{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DAAA65A15990ADD7B0A8DEBABB1DB3A,SHA256=1C9D8660E16AFE2C8185570F0F23D199AE8C88207B16661561D9BEA181C0A062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901952Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:09.174{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF4A7114B1EE67CCDD74730457E80D8,SHA256=03F6A8E5BF26CB1FF7BE12C71E9597EC54CE6DA4F3414B1CD05A92D331556536,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007999217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:07.419{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61109-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901953Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:10.203{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C264A63FC68384952492FEEAC2CA07A6,SHA256=FAF27D6ADBA3211CCEEE80C1082A600F41AAE69D3EAB761C9EE9BACF1A3A2EE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901954Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:11.235{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46A501AA38F0EBDEBAF2CEE98732D386,SHA256=7FB63C90F44D78D334271C0DD4206F25352194A5D96E8C042B0FA6B854111B0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:12.507{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4721B8026BC1A768D5C6AB686FBF574C,SHA256=056E5E09AB9D2B08C137029EAE905D017761301F7BD2ED13F545950D4863F007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901956Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:12.251{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A06462CCF59BC44502BD4A6FA4D6321F,SHA256=1F58CBCD7375D1229C6AB97ACF4AA2D2D5B7E5A3A44035FA347300A3F2018463,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901955Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:09.491{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52131-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007999221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:13.882{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3591121D27DFA878C0250D7E9DCE478B,SHA256=91D6DC4D55E7DBA92E22F15AC69B74DEBEC15AB8FCF474E8F39DCCF13227D507,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007999220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:10.873{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61110-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007999219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:10.873{3BF36828-DD1D-60DD-2F00-00000000C801}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61110-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x800000000000000015901957Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:13.266{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6965C6FB28420D953D1EDC76445A93D2,SHA256=C98173D67D57B181158219883D1E70ACFA74E7F1FF56D1B48C7B07F6C06101F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901958Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:14.297{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8A0AC843B9CE046ED091E45CCA6AD5,SHA256=8D7B71331E35B6592E17F850EBDA17D235C8C3568D5C6FC4B72B2FE193F5CDC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:15.257{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACDF609D4AFB0BFE2F7C9C0632B2B123,SHA256=A6C8E1A277E496CC301D591FFB5771BF374E87818233CCA263C01B88681C680F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901959Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:15.329{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A915D3245C867C0FF8FDEC544A5DA2C9,SHA256=E21B5A22950A6FD37546BF4BFB963E8C89B500CE2CED274DCF63E179494BE59C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:16.632{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B02ACA22392C0DC6D05BBB1FC141EB1,SHA256=7DB8CBC7E51749A413D5D33876AC00913634030664911A778CE9140A7BCD698D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007999223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:13.310{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61111-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901960Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:16.360{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F4E78ED8D87F66078275CE6C6041E5D,SHA256=EBB5231D498720BE16EF386853C8CBF44DDBF001F760F94917C88CE06117EC2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901962Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:17.376{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB413B0E629D2CF4D6C217EBF40DD51,SHA256=01F7CBB45ED119A1AE9A8B532A2175E520A8B33F975D040E9AB93FBDAA0832B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901961Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:14.556{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52132-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000007999276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.820{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007999275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.820{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007999274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.820{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007999273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.710{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007999272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.710{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007999271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.710{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007999270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.710{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007999269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.710{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007999268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.710{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007999267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.710{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007999266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.710{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007999265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007999264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007999263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007999262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007999261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007999260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007999259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007999258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007999257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007999256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007999255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007999254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007999253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007999252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007999251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007999250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007999249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007999248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007999247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007999246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007999245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007999244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007999243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007999242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007999241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007999240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007999239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000007999238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007999237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007999236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007999235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007999234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007999233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007999232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x80000000000000007999231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007999227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.695{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007999226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.696{3BF36828-EBF6-60DD-8702-00000000C801}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007999225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:18.007{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8FDB4B6A37426FD2B37A847087FEDBC,SHA256=29AD56A80682E46F93B7A01F32E1F5284F31B62C4BE9A550F909E0660ECC225D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901963Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:18.391{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9C601C7C7B1B34E1464DB8FF820B193,SHA256=6964C56EB6E832323E5B215AD2FFE73EFA079CB44A1BB9A863C69D57B1949B4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007999329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.491{3BF36828-EBF7-60DD-8802-00000000C801}38045028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007999328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.491{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007999327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.491{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007999326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.382{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007999325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.382{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007999324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.382{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007999323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.382{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007999322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.382{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007999321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.382{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007999320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.382{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007999319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.382{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007999318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.382{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007999317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007999316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007999315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007999314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007999313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007999312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 23542300x80000000000000007999311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D3C0F49496741C32880DF524CE69D7C,SHA256=EE91D88DBF723364A1AE5D53CD5DD76F04374CDA20AC81FB33EAC75D519D4AE0,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007999310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007999309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007999308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007999307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007999306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007999305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007999304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007999303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 23542300x80000000000000007999302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8C1AFF665531A77787E2F6DF27079BC,SHA256=E9C780D2571F53ED3EC3335293D290CE5CFB6F4468D5E50B05A9B3CD3A3E1997,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007999301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007999300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007999299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007999298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007999297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007999296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007999295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007999294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007999293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007999292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007999291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007999290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007999289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007999288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007999287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007999286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007999285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007999284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x80000000000000007999283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007999278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.366{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007999277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.369{3BF36828-EBF7-60DD-8802-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901964Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:19.391{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4EC4C597AF96607124154A3E88EFC24,SHA256=59D1539FD4E570C1746CD8998E40E0AFA3B463876205FFF631325835EEF5133F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:20.757{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BD0C2C1B96E3DF2B2B4F901E4A3C67F,SHA256=035AB8C7D6532A98AE52DF4538BA080FE0CC6EE926385929A3C361C8E72F723D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901965Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:20.407{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84A6FE49726ACF6ED30E30D2AECF156D,SHA256=CB8B87D5885D7664BB0024735524D4484778ABA216D30BF15809E7BEB73C996C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007999332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:19.294{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61112-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007999331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:21.257{3BF36828-DD1D-60DD-3000-00000000C801}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901966Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:21.454{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB296BB1955BF18F3BF64212F93AD6C0,SHA256=2CAAC1822170C79A4E7054963DB1DDD41956BCA8DC5A7765AB6F4E02BD3C37B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007999335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:20.435{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61113-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000007999334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:22.851{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23208A874BD4DAE8A18588BE02C9C071,SHA256=B1BEF34A591FB24E5EE31E5295900674D612BD0FDA183E093AA358E51C7ECA6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007999333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:22.179{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B62171B660EFC933368E5C3A9A85A50B,SHA256=FE853EAE6F59A75FE0C4102CB9B13A52DF3BAC96ACBBD6F1CDE4FF17BD0A3556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901967Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:22.469{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4217A0F34466CBBDB2634A8B3B784D5F,SHA256=2B29890426B9CE301D98A300F2EA691DDE2B8A2248F83CA6127BDAD42F2A0080,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901969Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:23.501{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6D50EE5B3CBCE3AC52AB4ACF970D4EF,SHA256=8A0A47FE7F217C67389531EAC3A9079656F87081B9A5933775C5EBCE9283D805,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901968Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:20.368{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52133-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007999336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:24.273{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D80F2BAF5A132138CB30E5125BD10CFF,SHA256=FC1C8E5A2D5269357655512FB933DE6044489B3F76165BE113E2B8E0654CE990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901970Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:24.532{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48346A01D79AEC7E670C153406D8ECB0,SHA256=82652A6E2C53612C6C05C54412AD4B6730C2A0A5741C853CF1B6A7975A4901C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x80000000000000007999338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:23:25.663{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d76e95-0x6b180c9a) 23542300x80000000000000007999337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:25.648{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3645BCA26CB69ECCD56CE5D78D969996,SHA256=74C3BA1A4EBDE96267E6723C2BBD467213B5734365F4C8D743209F6939B3CDCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901971Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:25.548{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAA682733410E59F2F889E7F17E6ABD5,SHA256=5911A802CAD0A961D0CD385A72D99E98182C55B49B4F9090E1D09FFBD551B1A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007999393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.460{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007999392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.460{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007999391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.460{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007999390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.351{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007999389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.351{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007999388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.351{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007999387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.351{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007999386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.351{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007999385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.351{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007999384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.351{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007999383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.351{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007999382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007999381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007999380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007999379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007999378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007999377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007999376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007999375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007999374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007999373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007999372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007999371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007999370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007999369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007999368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007999367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007999366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007999365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007999364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007999363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007999362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007999361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007999360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007999359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007999358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007999357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007999356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007999355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007999354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007999353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007999352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007999351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x80000000000000007999350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007999349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007999348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007999347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007999346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007999345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x80000000000000007999344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007999340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.335{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007999339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:26.338{3BF36828-EBFE-60DD-8902-00000000C801}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901972Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:26.579{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B36187897A09A43A8DD4623312298C1F,SHA256=584CAF5205D08115E70F80BA6ED5F5B8DD44187ACE4B46091F379E08A822EF50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007999497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.820{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007999496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.820{3BF36828-EBFF-60DD-8B02-00000000C801}41483228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007999495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.820{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007999494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.820{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007999493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.710{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007999492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.710{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007999491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.710{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007999490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.710{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007999489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.710{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007999488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.710{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007999487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.710{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007999486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.710{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007999485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007999484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007999483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007999482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007999481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007999480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007999479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007999478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007999477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007999476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007999475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007999474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007999473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007999472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007999471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007999470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007999469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007999468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007999467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007999466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007999465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007999464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007999463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007999462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007999461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007999460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007999459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007999458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007999457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007999456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007999455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007999454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007999453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007999448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.695{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007999447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.697{3BF36828-EBFF-60DD-8B02-00000000C801}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000007999446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.148{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007999445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.148{3BF36828-EBFF-60DD-8A02-00000000C801}4525032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007999444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.148{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007999443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.148{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x80000000000000007999442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:24.403{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61114-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000007999441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.038{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007999440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.038{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007999439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.038{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007999438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.038{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007999437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.038{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007999436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.038{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007999435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.038{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007999434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.038{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x80000000000000007999433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40ACF5E1E83EAD4DB97A14B0B391E278,SHA256=36524F353A66D2A8D0CEA03B39247D7F26E897DB415BF4491971F1096815F86F,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007999432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007999431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007999430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007999429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007999428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007999427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007999426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007999425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007999424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007999423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007999422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007999421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007999420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007999419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007999418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007999417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007999416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007999415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007999414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007999413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007999412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007999411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007999410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007999409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007999408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007999407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007999406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007999405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007999404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007999403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007999402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007999401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007999400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007999395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.023{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007999394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:27.024{3BF36828-EBFF-60DD-8A02-00000000C801}452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901974Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:27.626{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3852B94188192754E5FD01F96BF99B28,SHA256=FD48942E5192EF9A979B13123689AA10CE5748CD44F25D55768994012AC38E64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901973Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:25.384{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52134-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000007999550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.503{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007999549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.503{3BF36828-EC00-60DD-8C02-00000000C801}28964748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007999548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.503{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007999547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.503{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007999546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.394{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007999545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.394{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007999544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.394{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007999543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.394{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007999542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.394{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007999541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.394{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007999540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.394{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007999539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.394{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007999538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007999537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007999536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007999535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007999534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007999533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 23542300x80000000000000007999532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52FBEFB02001399A11C68A5CCA19E74B,SHA256=9DEB08331C525A9F343D7027EF2C8A57B8CCC1B4B19C6840EDB76DE6240CB102,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007999531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007999530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007999529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007999528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007999527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007999526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007999525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007999524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007999523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007999522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007999521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007999520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007999519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007999518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007999517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007999516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007999515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007999514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007999513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007999512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007999511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007999510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007999509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007999508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007999507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007999506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007999505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x80000000000000007999504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007999499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.378{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007999498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:28.381{3BF36828-EC00-60DD-8C02-00000000C801}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901976Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:28.809{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901975Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:28.637{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F7E72732A35C14DFE6D59336E096961,SHA256=4522FA93530C327AA752F3AF8E5C2B04761FB2CBAB7C5507775AABD5A5830B5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.800{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D8DA3E4BEBC553D90BD8A620A68C24B,SHA256=FD9DC84DF2E99A9EB1552BCF5244C53184C2535D14167596C329F7DF4BFE2DAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007999603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.800{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF20474053F5DE4D10892B5A3BD647F7,SHA256=519A3A0277B1C4ACA33894A0E6E0BC51E8588362CCBF769BE48103AC5A9148A9,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007999602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.191{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007999601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.191{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007999600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.191{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007999599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.081{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007999598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.081{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007999597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.081{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007999596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.081{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007999595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.081{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007999594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.081{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007999593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.081{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007999592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007999591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007999590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007999589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007999588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007999587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007999586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007999585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000007999584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007999583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007999582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007999581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007999580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007999579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007999578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007999577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007999576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007999575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007999574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007999573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007999572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 23542300x80000000000000007999571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3DD3ADC61A496574087710D3473C4FA,SHA256=8E5B090D3ACCB1C83019B4D2051CF794AA28518FFAA22BC822CB1843DA102277,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007999570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007999569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007999568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007999567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007999566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007999565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007999564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007999563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007999562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007999561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007999560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007999559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007999558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x80000000000000007999557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007999552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.066{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007999551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:29.068{3BF36828-EC01-60DD-8D02-00000000C801}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015901977Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:29.637{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87D23A24B3A9192D1B47EBB4AECD0408,SHA256=C16675B49C32CE01104326EE443FA3CD3BBA6C17DDECE5D953BDDEF11E1FBBE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:30.488{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF9944B5266A879CDFC3DE65E0223F5C,SHA256=3D5F65BA98B988785BE817B31C4DEBC268DB26A8EB43D2D88316B795B79CC3E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901979Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:30.669{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC8CD5484F404D5707908DDCF9DC71B0,SHA256=C20B909837FC572F3FF0E7123093B488FCF90CF55C4F3454EF10922323F36B23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901978Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:28.099{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52135-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000007999606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:31.238{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AAF71E78A045664AA9D16470A5AD632,SHA256=45867E5A71343D120AD4C9647597E8E021BF66F929BCC59CADBFD01FB5EF07F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901980Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:31.700{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92ED9927EAB0BDBBDCD9851997AD7B34,SHA256=11F81290D605435469AA542DBCAAF689763933A27B6F322EDE68EC8B1E1A9909,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:32.722{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=530DF6F734E84FF559CD7EFE2BB4FA57,SHA256=36EA27688A043277E432E4C7D9BEB1E01152D4236BFEFB420AC1D34CFAB18CB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901982Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:32.731{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87D69C43D2DD9FEE4A412DEA8EE872ED,SHA256=0AEB2E215BF3B5C46149DC30CADE4766587D21C4E992AAA20E1A3F885319EE90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901981Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:30.412{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52136-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007999608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:30.337{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61115-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901983Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:33.731{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=870EE8895E7D0FE5E797E66709AFC2D2,SHA256=92EF25254FD39CF2D669928D8704B91A5EA31D0A9BDD2F947280E9C19D759829,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:34.144{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19A04F5A7E41256D4E3037E679BE417C,SHA256=5469F18D898C3F7ED45D7E80FE922BF7D45DDA3C8D2F5B445153CDEA42C34DA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901984Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:34.731{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D286894F2DF7C6B5FCB1785491E5E0B,SHA256=FE05F9268B7148E70D152549540F7C2DDABA3EF22DCDB293E4E7A891498058D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:35.519{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654039E4AF3EB2BC4C0E44507258F929,SHA256=590C52C401CB6FE4F9281E5E495150A514C508F4ECFDED89B3F68F55F4153E2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901985Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:35.794{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19302232FCF7D876E8346881CD44F7FE,SHA256=312CFB9C86B13530723CEA9435FC53987E3D6D1AF9606BF303217264F345090B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:36.878{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AEB1AC5CD3897993FE7ECEFB530A0BB,SHA256=97B35AB4EE0AB3A6918296E18E7FC043CFE9CC7347BAD6F708437D43BD2F1E65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901986Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:36.809{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC297D2C18583005C6A6250A070D0B9B,SHA256=3404DBBDD5FC9F51850A5B8A271ADEFCDCC9F954FC8B9EA1B2B15EF8ABFD66EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901988Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:37.809{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53A11931FB5D111684FA28F1E0CD990E,SHA256=CEDF05CF333869945879A42FC584A3A11A3F6A35ADA1D1570F9FE1A97E42DFE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015901987Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:35.458{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52137-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007999612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:38.253{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4BA5BBB3A51B0EADB1713BEF3F7507A,SHA256=C51C762A34C4752AE1196D50452DF6F3C3B6E210C28C2C03B8D1322F9BCC3D6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015901989Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:38.825{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=537D4A1CF440A10733F4C4325B7659FB,SHA256=5661FD68A8C9260D837705881BD6C1F143872EBAC8DA18195E0F7799D9B48293,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:39.613{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95C6BD4DAF9A9524B5D3B9CBB43D5668,SHA256=789D1EE1E33CA788DCC9322ABCA048E127757432B1BCDBDF97CF26BE1E242C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007999614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:39.613{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9266963F97CE6353490B577A56D58243,SHA256=B6ADFE6429ACFAEA0F22A0E0AA38BFDD7E98AA2DA1CB9685CF47768CFFE9ED50,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007999613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:36.243{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61116-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015901990Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:39.841{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12B6E36BABD4D0FC3659AEA249A5CE6C,SHA256=5A934CE388C1E787FE1BCC6E91AD9AD565E0D29645E4B25DA497EBD2E3E41048,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901991Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:40.856{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2599668B439455B88ED76BBAE1A46B2,SHA256=A534D145A7134BEAE053B1DE2CA808A602042C2641C80B178E90B7B8189BAEAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015901992Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:41.856{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89F50ED476428FB92D10DBDE2570AEF2,SHA256=7DD5218B6CE06F4D04D02D7D2CEB0E788E044933457E04F2DB3833AD90D0F3A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:42.519{3BF36828-DD0D-60DD-1200-00000000C801}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3F78ADCC0912CF87408DDA55F3E7A71E,SHA256=04928D7F03F3954EFBBA310EBBEB3662D68A5F4682EF2C425192D622F9BC4814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007999616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:42.300{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=251716A66B15CD230E761C76AE5AE4FB,SHA256=6418D28EE9380411CBA590633E7C38455090F804EDC62E13C73F502BF89C8689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902007Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:42.872{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5791AD29D85B7FF2F5C595392F0C4C67,SHA256=D8FA44250333DB7F8540B9DB0EEC87957826B4EF4FFA1EA8737BD55A1C1836A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015902006Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:42.794{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EC0E-60DD-9B2A-00000000C701}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902005Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:42.794{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902004Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:42.794{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902003Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:42.794{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902002Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:42.794{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902001Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:42.794{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902000Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:42.794{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901999Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:42.794{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901998Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:42.794{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901997Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:42.794{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015901996Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:42.794{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-EC0E-60DD-9B2A-00000000C701}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015901995Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:42.794{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EC0E-60DD-9B2A-00000000C701}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015901994Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:42.795{B81B27B7-EC0E-60DD-9B2A-00000000C701}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000015901993Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:40.521{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52138-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007999618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:41.243{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61117-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015902024Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:43.888{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C326667FAA52616738A89760B47167FA,SHA256=603BC4FDC1D54530DE8986EA9C1214F2E8C895ECA2612B941B491E51D0833A56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902023Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:43.856{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=602E0A59C63E39B9C71E59D764F793AA,SHA256=56945BC87D8586BC9DB626633122670047F61C30B3EACF36FEE8C1F53271A048,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902022Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:43.856{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10D234381FEC21541C7CEA812C88AAC5,SHA256=F120085E0CC4C3BB3B08D94784229134671180E7378FDC63A9F2664C74D33B84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015902021Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:43.622{B81B27B7-EC0F-60DD-9C2A-00000000C701}53361432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902020Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:43.466{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EC0F-60DD-9C2A-00000000C701}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902019Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:43.466{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902018Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:43.466{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902017Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:43.466{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902016Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:43.466{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902015Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:43.466{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902014Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:43.466{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902013Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:43.466{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902012Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:43.466{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902011Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:43.466{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902010Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:43.466{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-EC0F-60DD-9C2A-00000000C701}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015902009Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:43.466{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EC0F-60DD-9C2A-00000000C701}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015902008Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:43.466{B81B27B7-EC0F-60DD-9C2A-00000000C701}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007999620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:44.660{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FD020A026189EF1D748EF6DA6F16A92,SHA256=B59C4925A14E29DB5F79F1006BA30C26B2EBD1513C556C3496FCE4D7E0B71041,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007999619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:44.331{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9F9BB6D1C497655498875133C62A493,SHA256=FCA2DC31B33C9440C688C66167CF02C6DDB9232224CE49C79A78DCA7408029B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902038Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:44.903{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32C5E5DC810BBD9687E4770E989E2192,SHA256=3AAB9CA58BCDA70A8A82D73642C858CF9B3767DA3AE1C80FD3A33B50FFBB444F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015902037Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:44.122{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EC10-60DD-9D2A-00000000C701}2260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902036Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:44.122{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902035Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:44.122{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902034Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:44.122{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902033Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:44.122{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902032Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:44.122{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902031Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:44.122{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902030Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:44.122{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902029Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:44.122{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902028Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:44.122{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902027Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:44.122{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-EC10-60DD-9D2A-00000000C701}2260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015902026Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:44.122{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EC10-60DD-9D2A-00000000C701}2260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015902025Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:44.123{B81B27B7-EC10-60DD-9D2A-00000000C701}2260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015902040Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:45.950{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE5238252D7CFC875184E1B720653CC,SHA256=D211EE3F907C66F38FCDEF2CD5B467597B30FE7DDD87193CF1D78954B205C683,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902039Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:45.185{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=602E0A59C63E39B9C71E59D764F793AA,SHA256=56945BC87D8586BC9DB626633122670047F61C30B3EACF36FEE8C1F53271A048,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:46.082{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=596D926FA80C714B256B5E41CB503AC5,SHA256=993F35BE99635B9728111D01CCCEDA7B44C55509FB0ABB5DA74611EAAF8CD5C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902041Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:46.997{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49F6BADF21CB638DB52D1D45D64BE980,SHA256=821214E9148CE966B0C252009F88E7B5E28ABFB08D636EC7D16AE95984629A3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:47.441{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37E1E460633321087E18D20D001F5C7E,SHA256=5D576C775696FE1CEDA785C713B96B0E518F6376E4DDB6FA2A63EF8E3B5197B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015902093Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.528{B81B27B7-EC13-60DD-9E2A-00000000C701}2704824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000015902092Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:23:47.434{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000015902091Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:23:47.434{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x056ed48d) 13241300x800000000000000015902090Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:23:47.434{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d76e8d-0x1602f407) 13241300x800000000000000015902089Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:23:47.434{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d76e95-0x77c75c07) 13241300x800000000000000015902088Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:23:47.434{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d76e9d-0xd98bc407) 13241300x800000000000000015902087Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:23:47.434{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000015902086Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:23:47.434{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x056ed48d) 13241300x800000000000000015902085Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:23:47.434{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d76e8d-0x1602f407) 13241300x800000000000000015902084Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:23:47.434{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d76e95-0x77c75c07) 13241300x800000000000000015902083Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-SetValue2021-07-01 16:23:47.434{B81B27B7-880A-60DC-0B00-00000000C701}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d76e9d-0xd98bc407) 10341000x800000000000000015902082Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EC13-60DD-9E2A-00000000C701}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902081Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902080Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902079Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902078Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902077Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902076Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902075Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902074Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902073Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902072Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-EC13-60DD-9E2A-00000000C701}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015902071Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EC13-60DD-9E2A-00000000C701}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015902070Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.357{B81B27B7-EC13-60DD-9E2A-00000000C701}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000015902069Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902068Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902067Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902066Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902065Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902064Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902063Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902062Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902061Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902060Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902059Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902058Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902057Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902056Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902055Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902054Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902053Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902052Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902051Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902050Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902049Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902048Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902047Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902046Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902045Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902044Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902043Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902042Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:47.356{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007999623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:48.820{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=592F0BC55CAE03733968F00434578DC2,SHA256=70C362A8918C1ED3C3D5B6F7D1049667342759AA521E6C95925DFFEEA2A5383E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015902124Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:48.861{B81B27B7-EC14-60DD-A02A-00000000C701}50363200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000015902123Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:46.364{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52139-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000015902122Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:48.705{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EC14-60DD-A02A-00000000C701}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902121Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:48.705{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902120Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:48.705{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902119Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:48.705{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902118Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:48.705{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902117Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:48.705{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902116Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:48.705{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902115Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:48.705{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902114Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:48.705{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902113Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:48.705{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902112Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:48.705{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-EC14-60DD-A02A-00000000C701}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015902111Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:48.705{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EC14-60DD-A02A-00000000C701}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015902110Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:48.705{B81B27B7-EC14-60DD-A02A-00000000C701}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015902109Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:48.595{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67523893CCF0A96E538155E7671D2941,SHA256=47FF73A4501F5B3BD3AED98678E335DB4524427362806CBDAA080E149AC97A72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015902108Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:48.189{B81B27B7-EC14-60DD-9F2A-00000000C701}54045752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015902107Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:48.158{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38451E0625DA336C632B1F87E0D8E85F,SHA256=148C6DFAD8BE780E384312FF1AF615325B46FE71876A64CFFED27814851DDE46,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015902106Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:48.033{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EC14-60DD-9F2A-00000000C701}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902105Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:48.033{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902104Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:48.033{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902103Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:48.033{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902102Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:48.033{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902101Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:48.033{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902100Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:48.033{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902099Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:48.033{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902098Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:48.033{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902097Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:48.033{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902096Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:48.033{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-EC14-60DD-9F2A-00000000C701}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015902095Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:48.033{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EC14-60DD-9F2A-00000000C701}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015902094Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:48.033{B81B27B7-EC14-60DD-9F2A-00000000C701}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007999624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:46.321{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61118-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015902139Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:49.814{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F9579B575762EFF7AB6D19E8047AAFB,SHA256=40158A755852106E1B87D4B046B2DE752E279717BA9BF9DE34C8D3A4EF6AC3CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015902138Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:49.376{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EC15-60DD-A12A-00000000C701}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902137Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:49.376{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902136Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:49.376{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902135Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:49.376{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902134Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:49.376{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902133Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:49.376{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902132Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:49.376{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902131Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:49.376{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902130Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:49.376{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902129Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:49.376{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902128Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:49.376{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-EC15-60DD-A12A-00000000C701}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015902127Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:49.376{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EC15-60DD-A12A-00000000C701}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015902126Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:49.377{B81B27B7-EC15-60DD-A12A-00000000C701}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015902125Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:49.142{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6320D89157D939B832A47D4097D3AA4E,SHA256=19104CBDB665C14E4CE6A3844671C09A61D68E3942C36F51E688EED3F682362F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:50.867{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B662902B8B4BB3C43D7B7C4DB6A3B0BF,SHA256=377579086F4835D2296F2B9A80554AE7DEBDDC769BF26C25AEC8CC6DF3B2E46E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007999625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:50.180{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB55D01DF481905540C644516A6CBD5,SHA256=7140D34AD262A5242DFB6DAEEA4A204DF4382497D34774B3FF2448F9A2973061,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902140Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:50.142{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F40C640D499FF9F11A20F7A7373C924,SHA256=24B73CA0E1CF8EE56696912B0C8AF9DE68FB878DCC0FABCE49B316DA939C1339,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:51.555{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA3A955E3865F6692280A15A5F5CC9CE,SHA256=3ACBE09BF40D8738B8638B978DA5138E4D73480991A779C922FF4DF7B1139C65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902141Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:51.158{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=258DB19FED3DC762BA1233B9DB9D8878,SHA256=620CACBC4EF66A96E0F281025596CEF0D1A99EBB2308A848277E7BDEF6008662,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:52.914{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38811A41B2DA2229DAF906C9E0D6F981,SHA256=E713A5D15D67A569CBF5C1DCAE2CE7BAB784D7F5F4D93EE19A0EB0AF7F25017A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902142Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:52.173{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FC89E2AE4883A60D2620D4C71EFF408,SHA256=CD43BDE7C4FA792D06BEB6F810C995D05E0B7DCD4433D2E1E40B3AD539CE1017,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007999629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:51.372{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61119-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000015902144Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:51.447{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52140-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015902143Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:53.189{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A764590E0705ADCE4718189E915BE124,SHA256=1D252E34C2EA5E039965FCAE620CE0D693D2C3C2547534E4F0CA1A87185446F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:54.289{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=927A5F515C40304A6DF3AE25D636A557,SHA256=8C1853F6F196E4F3911F37AB05FD077168C95F859C836F5318655C10BAB18127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902145Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:54.204{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A74D7447CC341C2F512590865F01546,SHA256=89D07C37B528965D3C6AE94F17B6E75FCDF538E4A1FE8C4238F6A57A37CD5BCC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:55.648{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=920D8DC7FA8BD47EAC2C4EC3794858CE,SHA256=AF067B959701FEFE1912AD6F6CB61D26BA933FCB801BDF39F4EC9115590FA8C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902147Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:55.486{B81B27B7-880A-60DC-1000-00000000C701}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E7D274DF80BAEB07FDF68477BB0830F7,SHA256=FAAA4EBB6FA6BB36CDC2CC9AA7C085B5F40123089861E987AF0D884209A89F64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902146Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:55.220{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77939E03BFFF805692C8A5187EAF736E,SHA256=A55FF9E78447A4371F1F8B23115EACB585030C2A480DAEEAAEC16A474AF0E898,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902148Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:56.236{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=693B8DFBA4B6D44BB7CF01ED3F96D87F,SHA256=7387AB71762447FF2A01ED2174D61C354FABF24F9FCC9F76395BCFC81243BCFE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:57.008{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=396280BFC431605AB64A3A10D4335AFD,SHA256=3E1AD276BE999FD18D43BFF5CD41737674E1A684F258E5F7E501CBE05B77548E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902149Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:57.251{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E10F1CBE6D58DFD687500C2F5E5FAC,SHA256=2D0F5175DE2891CF56B041550D1B0E9069E505091360C87A431B6D4F0C5F770B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:58.383{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1907858E6C3E1AEAA12C5D4BD358C35,SHA256=2FA5F498DB79920C3B78EBDF5E5095D369B3325C40237660702D98B2978E23AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902150Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:58.251{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=505ADC9E1F3379F4498BD87F005DBB85,SHA256=D9E6C1AA05D7CF302B6CE3C248B7F850CD2230AA04F2E79B7F28F5EC026DD2AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000007999636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:56.403{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61120-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007999635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:59.742{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24216F31431B4D9E907BCA6303AB8297,SHA256=08E2C79942C6CCD26AF023A4BD6D9B18A98B5694EF15C45BE1FB28B50565A496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007999634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:23:59.742{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81544CE6823D56FCCCFD1EF5272578AB,SHA256=42B909063830726249BEDFA41748C128783C6810690BB8497804E838350A14E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902152Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:59.267{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC5C50F90FB66024703B403A359B5EB,SHA256=6C6D38FC137869C904840AD35205E55EBBF5AE4136BEAD305E0DB97F41D53472,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015902151Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:23:56.556{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52141-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015902153Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:00.330{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C10F59749D9A10DE6F6D40757F96C5B2,SHA256=B7A29A53ECF583E18D1DD55E59B3620B2270FA5945034D421BBFF1829720C8BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:01.102{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50EC0E5A1D90691BE3A8C69E344BE30A,SHA256=841840D1BF0159A58E2D8F0F8AF66D30D51831C80975F265413E75A33DD51689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902154Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:01.376{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BEE67882C7C9CCC0B734C1F08E7F1E3,SHA256=C00E8A3A902AA6477BD58C44AB35E83E7D39DEE5BB68E5C2A8C969FF8DB00C9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:02.462{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66645E147D1480F125CF33D7BC426575,SHA256=DC09E128DBE0F27653F3AE59AC27F1D46DFE1E4DD5D40B3EDBEA81348B2E729E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902155Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:02.376{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E6A58D9E6646D5D4FD0C56EE0DF400E,SHA256=C09CF3F39DDEC22B0936CA258E4C84448E309EA59578F9C2F5D980840DBEE05D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:03.835{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4C5C9D109B70ADDCA2531E8E993A683,SHA256=2FE36BDFB6BC83F20BCE4446B45785BF2B1877733236EF5D4CB77DDB2280B74D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902156Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:03.392{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B47575176DE70AD6804C00D349D74046,SHA256=7FD51CC52594318E9083CAF7CB24EB5737BC74BBDB3869AD4AE04DF3F9EF6097,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902157Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:04.408{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9665E1D50C19CD21A3F5FF49687ACAD,SHA256=23523A719E997268E2DF65379AB355D9D1D5B02D7F84BCB0E9BE43DBEFA051A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007999669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:05.494{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:05.494{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:05.494{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:05.494{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:05.494{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:05.494{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:05.494{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0702-00000000C801}1080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:05.494{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:05.494{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:05.494{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:05.494{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:05.494{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:05.494{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:05.494{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:05.494{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:05.494{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:05.494{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:05.494{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:05.494{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:05.494{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:05.494{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AB-60DD-0602-00000000C801}3812C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:05.494{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:05.494{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:05.494{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:05.494{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:05.494{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:05.494{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:05.494{3BF36828-DD0D-60DD-0D00-00000000C801}924944C:\Windows\system32\svchost.exe{3BF36828-E8AC-60DD-0802-00000000C801}3600C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007999641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:05.197{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB0F066BF4D060F778C66FE20469FE02,SHA256=7DE962C2723177ADE49A064B7D85E4BECE24E73DC3038E95D1EBF76922F63FA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007999640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:02.326{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61121-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015902159Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:05.408{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E572D24F45119B81F8D62B5498AB3A,SHA256=2C3854927E4E615F818889EB692C5511062253975436C352C13BBD5B425B4E79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015902158Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:02.462{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52142-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007999670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:06.572{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0780DF2659097D3D908B26C89CD2964D,SHA256=03BEC3A40CB18D27E6BEBBCA0E3919963D44E57A8A32B6B4629BFEF0B40B3009,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902160Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:06.455{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61A2838A051B55B891548989F77A7C7A,SHA256=DC51A090F23706CDB011600E157F257D508CADFE0F7FDF596F139BF48AC9C45D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:07.932{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED323B97343AEF85BC937F8A1505924,SHA256=9937F0AA35190525A2AE4D653B574E6E765FC808B9BA4814EA86867524E0CE02,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007999672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:05.565{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-128.attackrange.local138netbios-dgm 354300x80000000000000007999671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:05.564{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-128.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x800000000000000015902161Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:07.486{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52946F538A8881E23D5D1E0A8A2083B3,SHA256=DE84EC0BCCD8B44505969378B6BE76F9B0E55C8B1AA29F4A6085E6799804BCC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:08.622{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1954670AAD76128A006F6558D69AD6B,SHA256=24F89265995E3836D223410F4CF5CCB83C9CCA0831C8CF7A2F1DDC6EC8D94A3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902162Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:08.522{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=692FC37A1D6F0E8824E4F39C1C0C00A1,SHA256=53BD8EB54ABEA68A712CD7ED01D55F9747F999704508308A9EFB1F8B2D149D08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:09.340{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92E3A7B7CC40EC9D150CBDD69B3D19A6,SHA256=DF0260BD955B50A25E9F2DC9216363243E9DB2045D0777DDDCDDD6083B240477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902163Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:09.523{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6CD72F2CB2E247B8E97B27695A261E1,SHA256=2CBE5A0D5F9EF02A16D14CDBCEE4A278F885E1893AE4738031DE1F97E6B99E9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:10.715{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD8880598D8D59C512EBABDD4A9F9F97,SHA256=F52A7CE92740B270FEE5812B54DB6FB830605744D473C70AD4EAFA5D7BD616DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007999676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:07.423{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61122-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015902165Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:10.536{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9085EFCEA756B31768BC3D994F14C2C8,SHA256=71BF3ED79BE20CCA737B9BB8655D58A37A0D17A2BAF19D827F50D4BC237EEFBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015902164Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:07.545{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52143-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015902166Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:11.555{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2388AFF286B75BB10D990E5CF500501D,SHA256=ACD3A00101ADCBCDEAB2F4D54C94FBDA1147B1C70DF28A28602DA2DF81C32819,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902167Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:12.586{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=130844A4869300DB6ABDAF905E96A489,SHA256=FA16E2F915CCEC3A445A8CC4A5712C6A365DBEB3D7BA11981C56ADA3EF135ACB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:13.418{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0565935DB175D4905092C5719AAB4EC,SHA256=F4F3B86FB314459009AA595EF5708B4847FC329398151743FADACEAE11FD299A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007999679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:10.892{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61123-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000007999678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:10.892{3BF36828-DD1D-60DD-2F00-00000000C801}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61123-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x800000000000000015902168Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:13.602{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861B072828EA31AA367BC78F3FBDC9FB,SHA256=FD982F1A0804ABA1B730387C0A49FF757FF8DF6A09409138F86CFBD5CE77A120,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902169Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:14.617{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DB43FF4EDA6CE10A0EE0A7C92697A6D,SHA256=3ADAA788AC4E54606234F3F40DDF57CDB3DB73747466DCF0900B7A969EA3D8E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000007999684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:15.840{3BF36828-DD0D-60DD-0D00-00000000C801}9244328C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:15.840{3BF36828-DD0D-60DD-0D00-00000000C801}9241944C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:15.153{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000007999681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:15.106{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B474BE55060D978993850CA8BADC04CC,SHA256=736DE0FA549DD099ACC002052AA4E7137CEC3A852EAF3BB604746608A0E4A5A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902170Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:15.617{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=630A456DC93438F77BBE7353851646B0,SHA256=61313A92C21CABDEFB2529AFED29B31669C2DCD03A77A399497E796752516C31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:16.465{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E7D648AFFCE108F7FD7546628F140A,SHA256=37D0ED6D66DD333095EAB8B982732AB729238AE4567D290DFD373C87A9656AD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007999685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:13.329{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61124-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015902172Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:16.617{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7610E836D984594B2C46BE4E8C33412,SHA256=CC1D5B56E511A2CC62C89AEA9CE78E0BB64489526C036CC9B910AFA6DF5A8AE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015902171Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:13.453{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52144-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007999687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:17.840{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E168BBA3AD1FD29A84CB16FC57869A68,SHA256=9638B09CC5A14221CA2359A131A6AEB1C33302B0CF1D2691D9590CCBBDC5796B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902173Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:17.633{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23C5E81879B004D680B996E88C653324,SHA256=741902D76E1E1CDF0925F09023CF0A5A2DC83DAC5FC9EC6B216A4F4C0EDF2E6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902174Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:18.649{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0634869172B88EE3BD75490ECAD28E41,SHA256=4C368C5069248B1D72AF5EED31D989428771DCC987679823B5CCE4E948A92085,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007999788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.919{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007999787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.919{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007999786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.919{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007999785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.919{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007999784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.919{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007999783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.919{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007999782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.919{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007999781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.919{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007999780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.919{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007999779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007999778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007999777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007999776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007999775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007999774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007999773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007999772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007999771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007999770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007999769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007999768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007999767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007999766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007999765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007999764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007999763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007999762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007999761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007999760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007999759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007999758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007999757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007999756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007999755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007999754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007999753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007999752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007999751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007999750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007999749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007999748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x80000000000000007999747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007999742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007999741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.905{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007999740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.903{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3EF2AD2AB40F6E8A2CFA8B5B9106AF9,SHA256=3B0E98A9270D5D7A0B1F8C51674DEF6BE3F192DB38C1736FB1848F010CBA4F79,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007999739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.340{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007999738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.340{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007999737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.340{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007999736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.231{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007999735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.231{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007999734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.231{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007999733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.231{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007999732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.231{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007999731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.231{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007999730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.231{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007999729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.231{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007999728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007999727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007999726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007999725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007999724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007999723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007999722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007999721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007999720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007999719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007999718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007999717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007999716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007999715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007999714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007999713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007999712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007999711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007999710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007999709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007999708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007999707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007999706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007999705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007999704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007999703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007999702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000007999701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007999700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007999699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007999698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007999697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007999696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007999695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x80000000000000007999694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007999690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007999689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.218{3BF36828-EC33-60DD-8E02-00000000C801}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007999688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:19.215{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD3548ECE1BF317BE50CB1B1EB82274B,SHA256=57CA923B060319C47E970C8CD8F0162595580690132AC5C54F4D4CF3B0CA2D8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902175Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:19.664{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA8FD897D8BE1524D5596429D30708A,SHA256=3630564D4A0114726EFF334792770530BC5FD39C65C0C29190DBCE3BA6CC94E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:20.575{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C38196F08BA8BE1735B1EF7E1598C04,SHA256=EEA8FF6CAB02B0B1E95A0A91A160419480D9ADAE8B98BE4659E7EBFF9837993C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000007999791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:20.028{3BF36828-EC33-60DD-8F02-00000000C801}38722220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007999790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:20.028{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007999789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:20.028{3BF36828-EC33-60DD-8F02-00000000C801}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000015902176Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:20.680{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9730AF6F1183D49838108D02F9BCC3EF,SHA256=A8493594FF3395FE25139FC5CF80C6DE11283CE06B305B1E2CE717B202632EF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:21.950{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C19C3842494C63EF7DD267F27B8B055,SHA256=1FE3ED7003C8BB645E5D47750EE35E4FD0627255161BD50EF0B2D59AAE61C36E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000007999795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:18.438{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61125-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000007999794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:21.278{3BF36828-DD1D-60DD-3000-00000000C801}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000007999793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:21.262{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AC9D5BCB9E819DD526499434E22D54F,SHA256=BA67975017FBA08ADE8BE68897B055144F48026C1F6C095F58C51ABCA25E2ACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902178Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:21.680{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D744E6BAD7FF849A7D7C9FF99BE288EF,SHA256=04B3D029BE2A7FF9913290C38022832EDC6AE16FE029753C6480F50C0A7E7553,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015902177Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:19.328{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52145-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000007999797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:20.454{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61126-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015902179Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:22.696{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B43794F9B2CE6E72708CBD96EC889B4E,SHA256=050E03D567B9E15F5A968960FD0A2848F5C7B2604F2737091C6AD388D95D16A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:23.387{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=317CEA8B5F196D0B3C9B8A2F2BCE7DE6,SHA256=5C684B130DC3E6C344D7AC82D3B5338592099408BF3EACA0FA2B7A000B69BE00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902180Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:23.696{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3AD629A4D137AE1232E66A3C07D6597,SHA256=A8789EF61E4742D7A19932AF310F730771728A48265634CE167EF3DB19A59D08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000007999799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:24.809{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=381E051ADCA8D762EA3158FA3549828F,SHA256=3A67EC0C6993264AE4B49BB32655F1A250B3AE6F977DDFF7C542ACF621695AAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902181Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:24.711{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBDF627EEEBAF12854D487F460C9BF77,SHA256=8ED2D44B3714EFC99620138633B728F6628745E722415F0145D3EF4B3446FF3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902182Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:25.727{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DB613F3A8BD7F5D1ED5EA2BC129FFB4,SHA256=260346BE1F3A42D4A0C40D3ABF57BFFFC388A32120F593136F2F8D6B5FF6FF28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007999907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.981{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007999906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.981{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007999905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.981{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007999904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.872{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007999903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.872{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007999902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.872{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007999901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.872{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007999900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.872{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007999899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.872{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007999898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.872{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007999897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.872{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007999896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000007999895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007999894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007999893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007999892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007999891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007999890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007999889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007999888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007999887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007999886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007999885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007999884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007999883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007999882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007999881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007999880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007999879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007999878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007999877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007999876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007999875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000007999874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007999873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007999872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007999871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000007999870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000007999869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007999868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007999867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007999866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007999865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x80000000000000007999864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007999863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007999862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007999861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000007999860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007999859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x80000000000000007999858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007999854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.856{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007999853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.859{3BF36828-EC3A-60DD-9102-00000000C801}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000007999852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:24.344{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61127-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000007999851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.309{3BF36828-EC3A-60DD-9002-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000007999850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.309{3BF36828-EC3A-60DD-9002-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007999849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.309{3BF36828-EC3A-60DD-9002-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007999848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.200{3BF36828-EC3A-60DD-9002-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007999847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.200{3BF36828-EC3A-60DD-9002-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007999846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.200{3BF36828-EC3A-60DD-9002-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007999845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.200{3BF36828-EC3A-60DD-9002-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007999844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.200{3BF36828-EC3A-60DD-9002-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007999843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.200{3BF36828-EC3A-60DD-9002-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007999842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.200{3BF36828-EC3A-60DD-9002-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007999841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007999840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007999839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007999838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007999837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007999836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007999835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007999834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000007999833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007999832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007999831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007999830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007999829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007999828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007999827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007999826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007999825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000007999824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007999823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007999822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007999821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007999820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007999819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007999818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007999817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000007999816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007999815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007999814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007999813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000007999812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007999811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007999810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007999809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007999808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x80000000000000007999807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007999802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EBA5-60DD-7F02-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007999801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.186{3BF36828-EC3A-60DD-9002-00000000C801}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000007999800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:26.184{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B6D8829274C8EF09484D86E522B0118,SHA256=E80C7AB546229E5A48DC12C4BE57D18585D14159A81C39C98B0D1C811BB75A81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902183Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:26.743{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC984ACAB1E6C3B43C6E352646E67DC9,SHA256=D67ACD2D94ED6473D3DC22947EA88A07279F91DF5C16D33082B0BDCB43A5F11B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000007999959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.669{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000007999958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.669{3BF36828-EC3B-60DD-9202-00000000C801}1504456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007999957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.669{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000007999956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.669{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000007999955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.559{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000007999954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.559{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000007999953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.559{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000007999952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.559{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000007999951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.559{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000007999950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.559{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000007999949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.559{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000007999948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.559{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000007999947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007999946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007999945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007999944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007999943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007999942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 23542300x80000000000000007999941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A690C05F32C097F129D88EEC6692BA3,SHA256=E5C00C467BFC7CBA2B345ADCE8E5C822FFBFC322AFBC78CC28516F58ED177994,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007999940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007999939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007999938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007999937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007999936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007999935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007999934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007999933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007999932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007999931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007999930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007999929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007999928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007999927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007999926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007999925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007999924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007999923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007999922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007999921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007999920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007999919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007999918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007999917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007999916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007999915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000007999914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007999909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.544{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007999908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:27.546{3BF36828-EC3B-60DD-9202-00000000C801}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015902185Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:27.758{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E97FFAD0AFAABAA34D1F4B5ACF9831E,SHA256=DC1A73F71FFBD4F958353F39BFE24821B451E3BB98D7D591C92638DBB7D23792,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015902184Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:25.344{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52146-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000008000060Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.925{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000008000059Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.925{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000008000058Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.925{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000008000057Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.925{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000008000056Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.925{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000008000055Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.925{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000008000054Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.925{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000008000053Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.925{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x80000000000000008000052Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AED4F00435F98FFBC9EB80DB57D2D45B,SHA256=D86D768CBF7E2FE708A5DB499C0227644912C2EAD3D45C4CCE995DB770BF94D3,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000008000051Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000008000050Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000008000049Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000008000048Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000008000047Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000008000046Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000008000045Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000008000044Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000008000043Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000008000042Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000008000041Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000008000040Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000008000039Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000008000038Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000008000037Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000008000036Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000008000035Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000008000034Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000008000033Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000008000032Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000008000031Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000008000030Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000008000029Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000008000028Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000008000027Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000008000026Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000008000025Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000008000024Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000008000023Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000008000022Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000008000021Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000008000020Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000008000019Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000018Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000017Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000016Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000015Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008000014Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.909{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008000013Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.911{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000008000012Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.346{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000008000011Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.346{3BF36828-EC3C-60DD-9302-00000000C801}38042608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000008000010Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.346{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000008000009Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.346{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000008000008Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.237{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000008000007Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.237{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000008000006Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.237{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000008000005Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.237{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000008000004Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.237{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000008000003Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.237{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000008000002Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.237{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000008000001Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.237{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000008000000Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000007999999Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000007999998Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000007999997Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000007999996Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000007999995Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000007999994Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 23542300x80000000000000007999993Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FECA74984BD328B80AF9C50DBEF2800,SHA256=D1C8136509C03BAE4617397DB7433F23F19052B3AC3DCA0221D88C6A111E1D95,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000007999992Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000007999991Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000007999990Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007999989Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000007999988Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000007999987Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000007999986Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000007999985Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000007999984Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000007999983Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000007999982Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000007999981Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000007999980Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000007999979Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000007999978Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000007999977Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000007999976Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000007999975Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000007999974Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000007999973Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000007999972Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000007999971Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000007999970Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000007999969Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000007999968Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000007999967Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x80000000000000007999966Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999965Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999964Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999963Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007999962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000007999961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.221{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000007999960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:28.224{3BF36828-EC3C-60DD-9302-00000000C801}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015902187Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:28.840{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902186Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:28.762{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA2E16189B1269E64D770AE31EFF5DA3,SHA256=20D9991677DCAF10878D6B5F6A2E3456732F04807BFDE0704596173CAB566C95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000065Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:29.581{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB0628F36A429414843F37EC11DBE53C,SHA256=78A76717A2FA827273C4C14B5B8F2DB06C771C2ECE8A2EDE571745A321C08156,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000008000064Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:29.034{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000008000063Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:29.034{3BF36828-EC3C-60DD-9402-00000000C801}15764892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000008000062Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:29.034{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000008000061Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:29.034{3BF36828-EC3C-60DD-9402-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000015902188Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:29.778{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF0A5B2F0DD82F8C9E4842048DE95C12,SHA256=6678DA4CE3D88B47A61E0BF0F71B04DA9BFAD1B9ED0577E01ED29712B9D88BD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000066Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:30.346{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4722340CE5345FFBAB518D825D3544CA,SHA256=2DCF5D3C5204D32B6DE8BD30940AF860F8FD78FA9D5F634E2B66A2194CA05246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902190Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:30.778{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA23BE4916B456D97E7F1E261782CB7E,SHA256=FC62722C4D20CB03A78A93C70F4970874226A8929D8C0A62C2B2DB653B7FB712,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015902189Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:28.129{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52147-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000008000068Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:31.846{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=038E1E82783F94CD656A0E2B7E647967,SHA256=6693450134B27E4AFF327E78ABB6C92B5E35D78B045C14938F8CC25BC96F6B83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008000067Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:31.081{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B84871D97E0363BB706525D17A16DB4F,SHA256=4A68B334000F1CC9237FA985D9BE0FA68B93C420C144DB1D432D48FCEC3C7742,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902191Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:31.793{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64FF43169CC671F14427FFD9F3E0FED8,SHA256=9A76FF041FB9203FF7AEEA1093E98F328EE5F8C301EA3619047BE4B14341DC89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902192Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:32.809{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DDBDDA0D8191C070DF96EF28556C8BD,SHA256=98C236741895D543C8326D174846DC76B19691F13058FC905312F970353F6D1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000070Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:33.300{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50E4445E008B3CC150A54D3F99F56B48,SHA256=5F696F18D14669571E2D4E401EE46066D04857449BD702311DDF5763C13AA1CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008000069Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:30.257{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61128-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000015902194Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:31.332{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52148-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015902193Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:33.809{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DBAD88851FDB72EBECC72C4775CFA11,SHA256=4BC2B18AA30CFBFC2ABB8E63E5E991DFFC88130B4B2E5AF9B035CAC4F40D170D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000071Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:34.675{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D37E918EE7FB3A0ABC4CACF497D2B95,SHA256=F8736E186CABFE99F4EDE684CD7847220454E1124FF4D6909F2A26D15D999F75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902195Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:34.809{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769EFBBC6F017453443C522BA34F11BF,SHA256=560C3D2612C58C7A7E2C68998EB308E2D3815123A0C690459DBD92305226BED2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902196Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:35.825{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAFE15987079024470707E72768F07AF,SHA256=182F4CC5A0777AFC2F0FB8EBF8A73B589274593F8A361DF7AF0F574F54AD1D8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000072Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:36.034{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70F41509C1EEDB7F591F0E2AFC38F2E,SHA256=934B509353FE96ADFA25F1EC7C9D62390DE3A435BDBE22EE55A65857A678406E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902197Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:36.840{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B50F179AEE2956543C5CCCA5A8E07C0,SHA256=7E7217831A16CB00316149F977F13EB8B93182BDF021C2C14BF7596232EFC5AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000073Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:37.409{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DC8CAE07525A529E0F269BD8DD1A197,SHA256=7B6E7CC528F66C7EEEA7045E5B425695D8B4900695ADFEBFF794B246326D3CEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902198Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:37.856{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=757B6747EC3BBD31F698D1848955716A,SHA256=B27B259591DCC963652AE225B44725B5C48610C15C00EC895D5EA56C59ACE49B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000074Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:38.768{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C001E9CA69C9EF1557E5C62BE4A24BEA,SHA256=68F7D508C52F8E119FA5BA99ABF5912E62DB4791F8DAE742955B0F86240AD8A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902199Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:38.872{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAA24C92753CBD036B1F9544C641672C,SHA256=456F0FC5C987D42C067A6AD2E00FBE9A845D1592EDFB741CFF68D36EA9A36576,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000008000075Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:36.256{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61129-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015902201Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:39.872{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03FDE0948672A13AE7BB9E4E17354DD0,SHA256=6D7A8E5ACA53E12A2201E56474948577B40859EA03AE3C54CAE4F3B59E98E3F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015902200Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:36.566{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52149-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000008000077Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:40.128{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B419B72E3116B780FF0FF8E27EF827EC,SHA256=70A7203E70C1490A2AE68ADF3930D89D4A3D8BB540BFA30F7FFC950434A27C1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008000076Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:40.128{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B3C856A47C7485E074FE97B1A149FE6,SHA256=F91D5739D3A85EAC5A45AC97976152315FE7D7D45EB64A430D1E2743880A28DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902202Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:40.887{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41DA48447C49FD3A600DDF6297F77AF5,SHA256=FAF424CDFF6A02FE91300CCE1750BFAB5DBEC7CC7D7F7490F0BDE0767AF8068A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000078Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:41.503{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7760159019F0E5FBD32432012D967462,SHA256=B5F9AF5619A65B993973890D8CFD65F301A93680673D49139AF94D01900FD488,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902203Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:41.903{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=544A53EF99569BBBE76A5848B4A39D34,SHA256=36939304B096621C707AAD8EF6B167F6864FC5D4D253FA7229A424FD84F1D0B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000080Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:42.862{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63604A96D40DA9D0FE5263D58217E8C0,SHA256=EB6AB03D8C100FB72757AA2E19CE776D408830FF1DF1424CA226D82EEA704291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008000079Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:42.534{3BF36828-DD0D-60DD-1200-00000000C801}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=09792F57DF8B5A07BE94C829061EAF94,SHA256=A8CBDDE5AC6C4EE633A5A4D695C4805B7131A06EDFB099740D3CA0D34FC3C6D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015902218Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:42.934{B81B27B7-EC4A-60DD-A22A-00000000C701}6112712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000015902217Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:42.919{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6881F9DC04D042818345DF81CA74FAFD,SHA256=F11E6CD80379A31A30F5E8A332A3ABE0680CE91D7BB89E6C88C2BAF0E15A1A3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015902216Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:42.794{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EC4A-60DD-A22A-00000000C701}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902215Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:42.794{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902214Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:42.794{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902213Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:42.794{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902212Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:42.794{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902211Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:42.794{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902210Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:42.794{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902209Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:42.794{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902208Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:42.794{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902207Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:42.794{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902206Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:42.794{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-EC4A-60DD-A22A-00000000C701}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015902205Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:42.794{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EC4A-60DD-A22A-00000000C701}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015902204Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:42.794{B81B27B7-EC4A-60DD-A22A-00000000C701}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000015902247Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:43.981{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EC4B-60DD-A42A-00000000C701}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902246Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:43.981{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902245Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:43.981{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902244Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:43.981{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902243Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:43.981{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902242Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:43.981{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902241Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:43.981{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902240Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:43.981{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902239Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:43.981{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902238Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:43.981{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902237Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:43.981{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-EC4B-60DD-A42A-00000000C701}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015902236Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:43.981{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EC4B-60DD-A42A-00000000C701}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015902235Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:43.983{B81B27B7-EC4B-60DD-A42A-00000000C701}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015902234Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:43.919{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21EA03F73DE5764C1E363F65EC76D464,SHA256=0E2D0FBC577990926A304FD2E2C8DE96996430FB136B3DD6D41A492BD85C7451,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902233Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:43.872{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E619171014F59FA7FF863DAF017A8C5,SHA256=5C486FEBF9A1FF1876C39CFBE2C189B7C2D95D8040DD9A76299752D47B790B97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902232Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:43.872{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B249A53883BB961770B999FC79E6E384,SHA256=67C4FDB059F534B77750D3A997D6B8C5FF94279702E50D28DFE06DA3C4895B65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015902231Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:43.356{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EC4B-60DD-A32A-00000000C701}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902230Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:43.356{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902229Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:43.356{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902228Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:43.356{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902227Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:43.356{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902226Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:43.356{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902225Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:43.356{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902224Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:43.356{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902223Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:43.356{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902222Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:43.356{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902221Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:43.356{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-EC4B-60DD-A32A-00000000C701}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015902220Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:43.356{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EC4B-60DD-A32A-00000000C701}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015902219Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:43.359{B81B27B7-EC4B-60DD-A32A-00000000C701}856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000008000082Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:44.878{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=078CBE2CEE0B8C00E661ADD9D479DD70,SHA256=2023DA5ACBA07EF320783621DDA0D592A1D1D95BD6CF284DC4A763C9DFD4CFAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008000081Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:41.428{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61130-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015902249Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:44.981{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E619171014F59FA7FF863DAF017A8C5,SHA256=5C486FEBF9A1FF1876C39CFBE2C189B7C2D95D8040DD9A76299752D47B790B97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902248Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:44.934{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C6115D2D44D67514EC89EEE627E93B,SHA256=C3E2A27DE66D59E716FCAB396997001151684774A35E70E83BDFF80C29A342EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000083Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:45.550{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FEC58449CF8ADF92929681C5C899D5B,SHA256=97974B4F1F3A94EAFE272ECEDECC978973F59DA912D364E98C9D36E9FD587DEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902251Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:45.967{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A489648EA7AB74EAF8A3CD3B3477F68D,SHA256=DFF5640AB9AC44561BFC7D0C57103F36AD50BB000AD701A422F37997BE6AC5A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015902250Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:42.426{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52150-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000008000084Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:46.940{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEBB606E512F01700BE97D31298B7408,SHA256=DF610EE8FEE6552394FD561C3CBAD39EE47B6605590E724151DFB2DDFE64B328,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015902266Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:47.529{B81B27B7-EC4F-60DD-A52A-00000000C701}56805224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902265Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:47.373{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EC4F-60DD-A52A-00000000C701}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902264Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:47.373{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902263Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:47.373{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902262Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:47.373{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902261Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:47.373{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902260Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:47.373{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902259Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:47.373{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902258Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:47.373{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902257Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:47.373{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902256Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:47.373{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902255Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:47.373{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-EC4F-60DD-A52A-00000000C701}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015902254Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:47.373{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EC4F-60DD-A52A-00000000C701}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015902253Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:47.374{B81B27B7-EC4F-60DD-A52A-00000000C701}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015902252Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:46.998{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF661B28C7F391B6FC6F4C5A1B3CECD6,SHA256=BA0013FCC2988D3E491942E8668E09E4ACEBCAA88A8041D1D1671D51B13DA6F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000085Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:48.320{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FAD43E34936006C358C9F664290894D,SHA256=B25F7A58F4868FFF92CEE984A9766DD16D1D525EA0D29C667F03540C2D51710E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015902295Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:48.720{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EC50-60DD-A72A-00000000C701}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902294Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:48.720{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902293Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:48.720{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902292Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:48.720{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902291Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:48.720{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902290Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:48.720{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902289Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:48.720{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902288Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:48.720{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902287Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:48.720{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902286Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:48.720{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902285Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:48.720{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-EC50-60DD-A72A-00000000C701}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015902284Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:48.720{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EC50-60DD-A72A-00000000C701}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015902283Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:48.721{B81B27B7-EC50-60DD-A72A-00000000C701}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015902282Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:48.376{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F938AB36FD30199EE0F716A37CB7570,SHA256=4DCABFEAC415AA000A98207540B37303B6D87F266C94D73E415105B85F65A059,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015902281Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:48.189{B81B27B7-EC50-60DD-A62A-00000000C701}8326060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902280Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:48.048{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EC50-60DD-A62A-00000000C701}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902279Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:48.048{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902278Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:48.048{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902277Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:48.048{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902276Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:48.048{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902275Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:48.048{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902274Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:48.048{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902273Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:48.048{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902272Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:48.048{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902271Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:48.048{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902270Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:48.048{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-EC50-60DD-A62A-00000000C701}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015902269Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:48.048{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EC50-60DD-A62A-00000000C701}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015902268Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:48.049{B81B27B7-EC50-60DD-A62A-00000000C701}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015902267Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:48.017{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C14F4C81FAD58E213CC9ED0715B9D4A,SHA256=88D0DCF21229A605321C104ACE3408D906B05D0CDC911503BB0BDE7CDBFF0E3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000087Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:49.680{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9132381EF618E3653280BAE2F0D85F0,SHA256=933D86220A4A7F57529735D8DA1B1BE99F8D76D1F4FB4EA803ACEF6FE70A07D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008000086Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:47.292{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61131-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015902311Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:49.955{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=987AE1A23047F0F2665D944CF481E146,SHA256=ED31189E0A35838A27444C96D41AC0AECB72D56B6E0052FE7F5CC51ED856D6A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015902310Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:49.533{B81B27B7-EC51-60DD-A82A-00000000C701}1724236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902309Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:49.392{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EC51-60DD-A82A-00000000C701}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902308Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:49.392{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902307Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:49.392{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902306Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:49.392{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902305Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:49.392{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902304Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:49.392{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902303Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:49.392{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902302Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:49.392{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902301Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:49.392{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902300Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:49.392{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902299Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:49.392{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-EC51-60DD-A82A-00000000C701}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015902298Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:49.392{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EC51-60DD-A82A-00000000C701}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015902297Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:49.393{B81B27B7-EC51-60DD-A82A-00000000C701}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015902296Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:49.142{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35EC0434B14339DF77F803837066555F,SHA256=C9D89AE83F535877E5BD97BB377325D26948E57929E861AABD4016C26DA605C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902313Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:50.267{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CBD6EF2B07248A68A3817B8AFCCEFCA,SHA256=B91C2EC2C1A73E61CC4C31734E7795934B58052E70FDAE2D0B17CAFDD3AFA92A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015902312Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:47.525{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52151-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000008000089Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:51.054{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46510A119532FA9B4B440B6E0E7A8C94,SHA256=AC71323C4908C91EF3229029D350A68489CA849ABE3C0D9782CAE54F7323EC30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008000088Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:51.054{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1E861F4E3DEE9BBD74612AC00753E20,SHA256=F23FE48992AEE0F05AC1018075A52227AE36366B55582089DB8F60D72450F588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902314Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:51.501{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF8C8BBBAB0586E78AAF386FA105076F,SHA256=3A6BD6D7D45E5941A2AEA0CE8F2B238031BA6A6DF77609E78C3CF208CB3B4F17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000090Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:52.414{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6523B5EC871FA735E39FC758F7691219,SHA256=0C61F756AF485D7A45C92FB84BA8EF12A6586FB4EB8E9F01F407F5666DBBBF6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902315Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:52.533{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10DA0D0D0BD39ED559CD5AA28DC4813,SHA256=AC38013E732CA831AA9E7451DFCCFF1824760BA8ED3AC924651A3D9297E7EE9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000091Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:53.789{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A8AB3BAF0908C59AA3242131788C987,SHA256=A316F1E7A31DDE4D3DD21171B05E9F631AE011E2F6D6205BFFBBE729B185AFE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902316Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:53.548{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4E2D24F9A2C69A857D306655CCBA556,SHA256=7C2AA9857E9C997B6A79DE9627B8DEC29544EA99B211690B12CE86E7A400CCCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902317Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:54.564{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=578AF6510D050CF391B96B146BCC99B0,SHA256=4D8D59A6A71B1BB3FB75C7D1F51647D74D5C243AE39D83E13E63218F8F8061A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000092Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:55.148{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=157F3CEDE662216CC19FC4A5FA3DD088,SHA256=6B34F9A9674A9C5A6C213EC887C478FC4F173CB08141D6283E3D010A63BE1354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902319Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:55.580{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0E5FCA884A5EE1F55F986F1DDE984C3,SHA256=27A29A68D5DC14BB35C9ADB71482F02CC96D4A7AD66D61FA9B0F7D107E6E5E1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902318Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:55.501{B81B27B7-880A-60DC-1000-00000000C701}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F567FE713902D6A6A6885FC6FABEB5E4,SHA256=213E4A6ACF35E212B54EDDA405341C0E1535B7761FE91CA79E0577BD3057B515,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000008000094Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:53.277{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61132-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000008000093Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:56.508{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6020C92EFCBA7A0A07407E98D02032F6,SHA256=67ECFDBC51452D8852ED9998595733638992D0E890B43DBECA7A93F2D2684272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902321Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:56.642{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=546B865C6D438C3D88ABFAD30EEBC308,SHA256=62FB273C7C7D3F05943AB93FDC43385D4FA264AA99466843C6DBC387A8F769B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015902320Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:53.477{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52152-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000008000095Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:57.883{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8119A15E765CD8BD9CE9E66F85216BB,SHA256=5124ABA5B49F86E494E1F36E761AB99FCD31A6477C509833023B21DBD160F9F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902322Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:57.705{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5629664C5C5EEF7C6D1E96A951D5422,SHA256=E5668DC0B3042467E290E65071ABA6C3F3B5C413F93D0EAE9EBF8425CF8F6A0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902323Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:58.736{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2147B3742F61A8DB40C6FCE2C5404D44,SHA256=11AE03CA7E417EE1F304F5A2D92199A444E4532DCC90E7A6737FB6D99ACB000E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000097Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:59.914{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A98513D33AAF2F34682A0B4A0F9B4AB,SHA256=30B13596C8EE323A5F9A6F85854E6D3B99EB3FF779BEEC86CBF24F59EA709667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008000096Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:59.242{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=377EEB5B1FFDD1FD18A3C33406BBE578,SHA256=8AFA32E87A1FFC18C1EA42F85E33D6B5ED65A971A1D7BC77DE90F3BAAB2289CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902324Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:59.752{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FDB092AFF33924E7BD4312A120508F5,SHA256=6E97C61885E303F485CEB49061A647203C44045B2C8D8851C74A2B71AF5536BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000008000099Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:24:58.401{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61133-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000008000098Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:00.603{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B4A29CDDEBC3D15B520336A744057DC,SHA256=4787C452C67C1C087F7F6E24A865912290E95ADFEC4D3E4122F97439165E85D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902325Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:00.783{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F425C52BBDE9337C3A0D5A761ECDB61F,SHA256=5C7CADD956C11960FE78772F610C7893AF6EA7134783AB639723BAA7BF1F1F2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000100Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:01.978{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E41641874DB872516C75782E88DA53E4,SHA256=009C526DF5636F6FE70D644AEE23D2F819A7F92DE2035C9C0A7CC0B6B7597FB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902327Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:01.798{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=962D4039F604FBFDB6B2A44E1E86BD58,SHA256=A8D7BC2D75E21725A51580A39CE603FED05B2021676EFCA168ED6941626C1FA9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015902326Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:24:59.384{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52153-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015902328Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:02.814{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9ECDDE52BC854FAED1A460DD1E4CB6A,SHA256=717C23895529889D9413307F02DD6971AEEBCED5AB90E377AE19E98C1730C1D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000102Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:03.337{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2922902FED38FA2248482450295C3AE3,SHA256=63BA42F77EDFD058E6E802E85334420649B0B940C8024AD17895CBC903829508,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000008000101Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:25:03.165{3BF36828-DD0D-60DD-1100-00000000C801}640C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d76e95-0xa53779ba) 23542300x800000000000000015902329Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:03.845{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E85BCBDE5308EB411A243500E40CA004,SHA256=A79B54769A0D9D31218FF603EEAD2352E3C26BAC301FF14FB9911F721ABBA4EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000103Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:04.710{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F77415939DCA799B41FE96F514BDBE1,SHA256=55048995CF6642CAB7EF08B56DCA4BD40EA8B7EDFB8DA214FDE23DF75C52A519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902330Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:04.892{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=876E6C03D1634CD635F1C4EC1592848F,SHA256=A06E91E0CD0429AE418D64D7E34F10C39C921C86FC006601A5D73D4868CA2E6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902331Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:05.923{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56530CBBD9716B8AFEB6234FC900926D,SHA256=5DBADC8A746F1A15A3ED6680F8FDA3B11D00A770D8F62C30CE57F7E1EF17B6E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000104Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:06.072{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF031B4C6A7C82B3668866E1FDB0A541,SHA256=871EF87054CBE4AAC861C3581052B37E6469BC78C93B530ADC57559A0AB03F56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902332Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:06.955{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F68C6C9167C07611F1741B7FD19355,SHA256=5F9E4C0B0DB2148E5962B0DE31D7CAEEDC5EAB9B735E4C5EB35C25014655D88B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000106Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:07.447{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63C14A9DEFE7457BB0C36A499608E58D,SHA256=0E842BD09AE8CB368111136486CF8E00ED7B199F373A9DA34BEBFA2856209AED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008000105Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:04.291{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61134-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015902333Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:07.970{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75DE0A0FD1D3E6666337084F54BDCED7,SHA256=D05330EE9E2E80BC3CA30DA5285998CEF4B7D47CF3AE7AECC528F55E45FFB7ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000108Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:08.803{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10124B512411DE0D19A1C87D9049B243,SHA256=9CF31C5193BD7B1EFEBF3524541E8721C6DD93CFBC805A073EF1C0DD1F45AF48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008000107Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:08.803{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E1432D8771C56944308379EEFD91023,SHA256=6DD95A68F6BA449D6ABCB6F2492098D2BA7F2E9408840C0232FB528ACFA9B45C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902335Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:08.985{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E31DD07D4B8168AC6C1AD900F94C1F7D,SHA256=D7B6768DED5549705ADFE722E99B7E1B7FCCA0C7E3AEAFBFC223E9FDCBECDEDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015902334Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:05.384{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52154-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000008000109Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:10.163{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=002DCC4B3C991EB2E496B6AA878A7005,SHA256=495606CE061DADBE8638FAB8D77F95BE2BF743F19653A4C842ECA09ED9AA7DD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902336Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:10.016{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F4BEB25928929F89EC343C3A20ABB8D,SHA256=9EA562667780AED4CD977C168A155B243B3D5B897069EA76E500FFC33815EB6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000110Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:11.538{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EC2F724B49B3796E1C8BCC14F753324,SHA256=617E034F972BEDD446DB0475B000DFD7CA2DC0B47B89F6D078ACEB9CB2F23486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902337Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:11.047{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=071A1392070409E11CF26CB0DF106C8B,SHA256=15CFECA144FF5C51589B65E9E985092F2E63EBA03E6CF2DDABACF08820D77152,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000112Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:12.913{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38CB19A9A62FC49AE1C1373073F3CFD0,SHA256=81B0D45C3DBB7A305BE0B836766769E3EFBD3E382D8A62991FA6BE44AD18D1A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008000111Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:09.400{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61135-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000015902339Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:10.430{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52155-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015902338Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:12.059{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A2FE358C4BB0A90CBE4238B8B177972,SHA256=1A2095DE7908D38511EE2EAE2931B2482D6289B303E04BD0B87F78A06C339220,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000008000114Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:10.916{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61136-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000008000113Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:10.916{3BF36828-DD1D-60DD-2F00-00000000C801}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61136-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 23542300x800000000000000015902340Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:13.077{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97AF98BEEA3DF47A5F5A93441250E29D,SHA256=0C14E4CB3DB6A1CB59B56193F0FE2623B95958D440945CF583AEFB44400C34A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000115Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:14.616{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7AF945ED006D00B82D83453EAC8C235,SHA256=3AAE929585B1464E3EBD3F9AD01C485B2ED2595A0C0D85A1AFADEBB2DEC2F352,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902341Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:14.093{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1062DA80513A0BFCA0B288B20D1BB3CB,SHA256=3C0D38B974071B6FA52863FB5213DFA120DCC8A43D51EF3EF65E1299E49F3883,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902342Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:15.124{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D0163D7BC509AC699CAEBB4A5C48A25,SHA256=953CCE1A9CC1D25F7357FD10D0000058AF35C50356BBBFEE9221B4C28D0C7A19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000116Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:16.538{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73E3C9556BCB7218E1507CA596230C74,SHA256=CA5C2A8D202AA163E98F66B4315346B77F876043FF5069DBDED6A1E7CEC7D68F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902343Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:16.155{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B0C7884860E1F0B43DFFC2D48ACF8AE,SHA256=6CAB4B830E42191B8D875431B4E055C78EC1D5B7BB6715E81ADF692FB6C9C2A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000117Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:17.928{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB2CCAD62809547FF3A8939A48C22E2C,SHA256=21717A343AAE8D098AB812E215009CE495870F7187D5C476D02B418F22C8D387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902344Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:17.202{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=158E47BCB393E60A605192AD30A8A9FF,SHA256=AC540ABBE38D551734964E9D2F804C9CF40B812B8C37303CA451BDB58D37985D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000008000118Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:15.243{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61137-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015902346Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:18.218{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=251888CF5F8442B4BE9C79507380322F,SHA256=5CE2E2884615CEE42D422D8EEA5E33994DA0F3622B60106C1B6D642FEAFE665B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015902345Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:15.443{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52156-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000008000219Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.991{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000008000218Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.991{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000008000217Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.991{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000008000216Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.991{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000008000215Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.991{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000008000214Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.991{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000008000213Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.991{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000008000212Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.991{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000008000211Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.991{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000008000210Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000008000209Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000008000208Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000008000207Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000008000206Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000008000205Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000008000204Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000008000203Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000008000202Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000008000201Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000008000200Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000008000199Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000008000198Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000008000197Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000008000196Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000008000195Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000008000194Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000008000193Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000008000192Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000008000191Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 23542300x80000000000000008000190Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7B29EDCBC297C558D32F0CA2B65E122,SHA256=D501871833DDAEF8ECD2F3CAAF19FCD34C2AC9EFC84E60FC2B58F47941717320,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000008000189Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000008000188Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000008000187Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000008000186Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000008000185Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000008000184Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000008000183Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000008000182Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000008000181Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000008000180Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000008000179Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000008000178Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x80000000000000008000177Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000176Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000175Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000174Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000173Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008000172Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.975{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008000171Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.977{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000008000170Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.428{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000008000169Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.428{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000008000168Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.428{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000008000167Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.319{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000008000166Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.319{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000008000165Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.319{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000008000164Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.319{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000008000163Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.319{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000008000162Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.319{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000008000161Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.319{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000008000160Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.319{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000008000159Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000008000158Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000008000157Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000008000156Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000008000155Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000008000154Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000008000153Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000008000152Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000008000151Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000008000150Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000008000149Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000008000148Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000008000147Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000008000146Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000008000145Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000008000144Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000008000143Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000008000142Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000008000141Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000008000140Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000008000139Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000008000138Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000008000137Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000008000136Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000008000135Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000008000134Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000008000133Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000008000132Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000008000131Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000008000130Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000008000129Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000008000128Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000008000127Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x80000000000000008000126Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000125Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000124Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000123Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000122Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008000121Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008000120Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.306{3BF36828-EC6F-60DD-9502-00000000C801}5020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000008000119Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:19.303{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C453667896E5D4AEA3E753E7E71AEE7,SHA256=65D3EDC322AE79EFE4EE1C14B4F8E77CE74236101920C470C1C2BBBE28738DAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902347Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:19.233{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D063C4703CB011703BDBAE3B1E1FE5C,SHA256=311E9A50CBCAE585F86E5B40CB753E446B6FABD54E49C945E6EEE010C0F6904C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000223Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:20.663{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8C00A83CFD78F702609CC981F6AB062,SHA256=FD2B67D878FC38C92F88C5B7073642B0502369A215630777ADD0D6A169625E6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000008000222Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:20.100{3BF36828-EC6F-60DD-9602-00000000C801}7404672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000008000221Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:20.100{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000008000220Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:20.100{3BF36828-EC6F-60DD-9602-00000000C801}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000015902348Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:20.249{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4600E4AF526502A8C65AB66952E6FA7,SHA256=0608A1A53B309BBA5527DE3A3B8486037716F2627AC39BE7A652741C2917F6C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000228Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:21.350{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5F5CF4F906AAC6E632BD8369D958C1,SHA256=14B7EBF9AE5971297E22FC17105935D5CA3A778EAF41EC6E4508FCF29B2555F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008000227Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:21.303{3BF36828-DD1D-60DD-3000-00000000C801}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000008000226Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:25:21.210{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\D370F6FF-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_D370F6FF-0000-0000-0000-100000000000.XML 13241300x80000000000000008000225Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:25:21.210{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CA735696-6C26-4910-BF98-1B50C97DCBCC\Config SourceDWORD (0x00000001) 13241300x80000000000000008000224Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-SetValue2021-07-01 16:25:21.210{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\CA735696-6C26-4910-BF98-1B50C97DCBCC\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_CA735696-6C26-4910-BF98-1B50C97DCBCC.XML 23542300x800000000000000015902349Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:21.358{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D78AFF9BBB1072CA8C292F24172E9F88,SHA256=4D5BABCF335EE2FEECEE3C72130E834B25EBEA9C81E2406E5719FBB93210B5D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000008000230Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:20.353{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61138-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000008000229Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:22.038{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC29E6CCD77B9CE53C36D231D73C3388,SHA256=1F9B4EA93D4A95C8E7D734B3FDE36918DB3E2AC0639A08DC4C84FA551768B66F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902350Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:22.405{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D0828805BA42B75D992463954AA6AF8,SHA256=678FB1D3D07A578F818C6283E2E2639409EB4F4206DA0CD49DD6D4735E9456B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000008000239Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:23.710{3BF36828-DD0B-60DD-0B00-00000000C801}652780C:\Windows\system32\lsass.exe{3BF36828-DCF0-60DD-0100-00000000C801}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000008000238Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:23.491{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2C866533F02E030E1FB8472998F1848,SHA256=29A9072C382EAAB37190DB964D3CD50A778E564D79DD95BCC3974553D8E12328,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008000237Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:20.478{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61142-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x80000000000000008000236Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:20.417{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61141-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000008000235Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:20.417{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61141-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000008000234Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:20.412{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61140-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000008000233Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:20.412{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61140-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000008000232Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:20.401{3BF36828-DD0D-60DD-0D00-00000000C801}924C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61139-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 354300x80000000000000008000231Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:20.401{3BF36828-DD1D-60DD-2800-00000000C801}2968C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61139-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local135epmap 23542300x800000000000000015902352Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:23.437{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5210CCD58E17F51AB6EB6919308B80C2,SHA256=92AAF720E079E47BE19105315145A351E41F61C6EB4A8A3683180C6C080B73FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015902351Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:20.537{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52157-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000008000240Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:24.913{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F26136A5DE0D0CC8E0448AE3D5D8B24,SHA256=554F347ABC757FCF7C92806044051B7CE8363602839A653985215E997DC6F74D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902353Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:24.468{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2CA6E84F9F578A158AB2E960F65400F,SHA256=E850C41F3AF2EC035D7C3827359F5CB8DF0AAC285BD55AA1F8405CD898B93648,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000008000244Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:22.799{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-128.attackrange.local61144-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x80000000000000008000243Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:22.799{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61144-false10.0.1.14win-dc-128.attackrange.local389ldap 354300x80000000000000008000242Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:22.793{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61143-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 354300x80000000000000008000241Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:22.793{3BF36828-DD0D-60DD-0F00-00000000C801}344C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61143-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local389ldap 23542300x800000000000000015902354Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:25.499{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D21BF72DBAF2A9D44733F32F155058,SHA256=8A5E5F43A95971D2E186F54D2E0164A457121C02FBA07B32839867E9A86EF976,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000008000346Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.959{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000008000345Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.959{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000008000344Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.959{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000008000343Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.959{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000008000342Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.959{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000008000341Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.959{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000008000340Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.959{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000008000339Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000008000338Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000008000337Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000008000336Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000008000335Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000008000334Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000008000333Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000008000332Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000008000331Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000008000330Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000008000329Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000008000328Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000008000327Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000008000326Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000008000325Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000008000324Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000008000323Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000008000322Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000008000321Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000008000320Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000008000319Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000008000318Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000008000317Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000008000316Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000008000315Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000008000314Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000008000313Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000008000312Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000008000311Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000008000310Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000008000309Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000008000308Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000008000307Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000008000306Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x80000000000000008000305Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000304Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000303Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000302Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000301Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008000300Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.944{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008000299Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.946{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000008000298Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:22.903{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61145-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 354300x80000000000000008000297Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:22.903{3BF36828-DCF0-60DD-0100-00000000C801}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local61145-truefe80:0:0:0:b574:557a:2d92:ce61win-dc-128.attackrange.local445microsoft-ds 734700x80000000000000008000296Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.397{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000008000295Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.397{3BF36828-EC76-60DD-9702-00000000C801}1842504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000008000294Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.397{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000008000293Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.397{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000008000292Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.288{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000008000291Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.288{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000008000290Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.288{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000008000289Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.288{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000008000288Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.288{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000008000287Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.288{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000008000286Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.288{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000008000285Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.288{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000008000284Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000008000283Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000008000282Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000008000281Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000008000280Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000008000279Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000008000278Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000008000277Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000008000276Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000008000275Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000008000274Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000008000273Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000008000272Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000008000271Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000008000270Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000008000269Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000008000268Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000008000267Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000008000266Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000008000265Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000008000264Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000008000263Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000008000262Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000008000261Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000008000260Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000008000259Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000008000258Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000008000257Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000008000256Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000008000255Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000008000254Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000008000253Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000008000252Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000251Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000250Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000249Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000248Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008000247Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008000246Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.274{3BF36828-EC76-60DD-9702-00000000C801}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000008000245Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.272{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9A2DD8BB3BC48FE7C06BE1E3B710CDC,SHA256=A0DDB372A78D599232D9C198027E49EDC7834B6C58A23FEA0533E43CAC277652,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902355Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:26.515{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CB5A6ED0B589834993F958A7029B9BC,SHA256=F3650A70BC4EF367D12B063B6FAC86B40F50E98F457768C94613351ED6201AE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000008000401Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.756{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000008000400Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.756{3BF36828-EC77-60DD-9902-00000000C801}5032716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000008000399Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.756{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000008000398Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.756{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000008000397Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.647{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000008000396Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.647{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000008000395Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.647{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000008000394Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.647{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000008000393Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.647{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000008000392Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.647{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000008000391Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.647{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000008000390Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.647{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x80000000000000008000389Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49020DA213FE44277F5D224A5F7D9F5B,SHA256=AC3586A243BF0A589C7C63F0CA898041C53D61B531FBD5D630596CA21111A443,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000008000388Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000008000387Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000008000386Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000008000385Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000008000384Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000008000383Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000008000382Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000008000381Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000008000380Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000008000379Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000008000378Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000008000377Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000008000376Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000008000375Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000008000374Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000008000373Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000008000372Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000008000371Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000008000370Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000008000369Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000008000368Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000008000367Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000008000366Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000008000365Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000008000364Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000008000363Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000008000362Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000008000361Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000008000360Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000008000359Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000008000358Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000008000357Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000008000356Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000355Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000354Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000353Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000352Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008000351Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.631{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008000350Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.633{3BF36828-EC77-60DD-9902-00000000C801}5032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000008000349Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.069{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000008000348Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.069{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000008000347Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:27.069{3BF36828-EC76-60DD-9802-00000000C801}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x800000000000000015902356Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:27.546{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06EA5B9A61F1F10B844FA57954FAE513,SHA256=3EB9A580D6E40E4758FD26BF57723A063AE57F4E092A317614A47D28BAD02494,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000008000454Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.430{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000008000453Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.430{3BF36828-EC78-60DD-9A02-00000000C801}36204148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000008000452Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.430{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000008000451Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.430{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000008000450Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.320{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000008000449Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.320{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000008000448Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.320{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000008000447Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.320{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000008000446Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.320{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000008000445Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.320{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000008000444Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.320{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000008000443Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.320{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000008000442Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000008000441Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000008000440Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000008000439Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 23542300x80000000000000008000438Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8DC3B7568ADBDDF8693257AF3C36CF,SHA256=4FAA69ECC8CB7EF246393015B32842CFD134700243A1D900D80BAF2A060C7C1D,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000008000437Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000008000436Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000008000435Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000008000434Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000008000433Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000008000432Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000008000431Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000008000430Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000008000429Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000008000428Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000008000427Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000008000426Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000008000425Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000008000424Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000008000423Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000008000422Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000008000421Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000008000420Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000008000419Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000008000418Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000008000417Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000008000416Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000008000415Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000008000414Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000008000413Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000008000412Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000008000411Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000008000410Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000008000409Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000008000408Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x80000000000000008000407Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000406Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000405Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000404Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008000403Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.305{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008000402Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:28.307{3BF36828-EC78-60DD-9A02-00000000C801}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015902359Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:28.861{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902358Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:28.580{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C277178B795C761E7CE88902DA42B06F,SHA256=E770192B932211252EA213AB996F0EED43284EC54F23F4B9B168348D677931EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015902357Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:26.381{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52158-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000008000512Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:26.259{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61146-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000008000511Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.680{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA025BB25C6D8854EE0FD0F49738A546,SHA256=359CF69E107CEBA9FF6D281AB761F73BBA320A7E1CA68D77438734A87CCA7497,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000008000510Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.133{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000008000509Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.133{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000008000508Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.133{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000008000507Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.023{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000008000506Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.023{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000008000505Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.023{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000008000504Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.023{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000008000503Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.023{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000008000502Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.023{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000008000501Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.023{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000008000500Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.023{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000008000499Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000008000498Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000008000497Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000008000496Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000008000495Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000008000494Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000008000493Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000008000492Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000008000491Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000008000490Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000008000489Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000008000488Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000008000487Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000008000486Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000008000485Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000008000484Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000008000483Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000008000482Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000008000481Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000008000480Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000008000479Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000008000478Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 23542300x80000000000000008000477Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=234342F0C5BF02EECFF1E50B21354143,SHA256=529F34985A5FA6E77772F74506B8BE156F5DD6CCCAB91EB2157B5A4D6FBE2ECA,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000008000476Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000008000475Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000008000474Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000008000473Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000008000472Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000008000471Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000008000470Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000008000469Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000008000468Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000008000467Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x80000000000000008000466Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000008000465Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000008000464Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000008000463Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000008000462Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x80000000000000008000461Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000460Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000459Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000458Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000457Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008000456Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.008{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008000455Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:29.009{3BF36828-EC79-60DD-9B02-00000000C801}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015902360Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:29.611{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCA3925AF0EC282BCF84CD2FA7EEC0BC,SHA256=1C0CEC3A32FE16611551FEF80D5EDDC91E19554D082E199A6D836514B372DFBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000513Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:30.430{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CABF56F9CE67C57D87F7ED9DEADDBAF8,SHA256=7DBDD392C601E03A2455113B44CC4DDA029EC05174DA30A3162F260D20919F1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902362Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:30.627{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1BBD250FD0728FBC037F0BFEBF9814F,SHA256=97C95AB98703F7F0D89D86EE1E1EA08CC3A07A5100EC04D5BB25DE9ED477EEF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015902361Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:28.149{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52159-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x80000000000000008000515Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:31.930{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0578B53A8070B2207B37863EDFE88E70,SHA256=28B5C67C1E9E78653FE26702C6365DA5B1CA122F09724970BFCBB99D546D6E6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008000514Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:31.179{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96D422B2FE67FBBA5EA8B3FD0F7CC30B,SHA256=A4EFA021CD74D3D71A8AFA38293E74DF1C5680054D541982F81CFE67F258ECE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902363Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:31.642{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC608254A5F11A2EC8E4BE3242DF8883,SHA256=DC6A243F4B8D61EDF4432F5CA4140B269BDE1B6F5A8F38C9594543F82DA37BD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902364Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:32.658{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA94B5F1AC265A631A8CE3D7053B289C,SHA256=A8CF01D6112FCAF45078798A62BD9CB47CD89FD4841A2F9BE88E0764D459F254,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000516Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:33.414{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A419414F98C8EE2E8A04B9331098C5,SHA256=B313FD588B76E183B7D8366CC35D77DA90EFA73DEE35FE4379093B0B3B668DE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902365Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:33.705{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCBA165CEEEA7CD368FF48EA9373352B,SHA256=E69C200DAAE870EBA7FE28B034F5EEDAC5EE4FF7945BC352665D0983A2545C84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000518Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:34.773{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FAC5AC4EEE81571BD24D4FB0BE848E4,SHA256=A7FD2D211C80465E6831C7862670B21C41DFE0A66AF1262FFE93C8A69EB1EA57,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008000517Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:31.275{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61147-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015902367Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:34.752{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A00F99BCC5BCF5E77C93E71CFEE18028,SHA256=1EC0423AF057118DA31B618A1466B9C8F4A7BB2026FD2C4BF6159EB7868C49A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015902366Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:31.399{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52160-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015902368Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:35.767{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF7B69DF17603696ED07A5E4AE64D43,SHA256=B85204D3144FBF7663110F5ADB18DDCF0E41D58F7DB0DC93209990845165701D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000519Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:36.133{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1A593CD35FD71ECE62DE87E64BEC206,SHA256=B00D536808420D6CD6C89B9CEBF5FE367073E4B50C92F5C873FE507D692416ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902369Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:36.767{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9584F7B2FBA2434E090528BA2E598144,SHA256=FA66ECE7AD19EA3175C81BF6F1AF8E262E0530FCB1DD85A85A141AD0974E66B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000520Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:37.508{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB62C75B95801D938C36F97E46B17063,SHA256=FD5616051EE1874BFB713891DCB03AE08248F19833F5266E696C9412FB4E0FBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902370Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:37.783{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBDED368AFF3E6E6DDE12E7E34E43252,SHA256=736543542314E0DADD2B8823F6BA5FA1DF094762EC3C78F17EC23E13A431D31A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000522Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:38.867{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D98341317FCCEDA53F6BDC8E5EC3EDC8,SHA256=6FA22E5FE38F945B5C42AEEDD913452575658B634EBA1E7285D84F9255A4D472,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008000521Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:36.322{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61148-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015902372Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:38.814{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15A520384D5C7D5605BA4E713B35448C,SHA256=A5CA7A36F008F30A3AAE98B1C24E5B066CFECAD5DF079AE5A59E4E876F632419,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015902371Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:36.446{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52161-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015902373Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:39.814{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA688B59FD92211DD946C63B05B5441C,SHA256=C198983CA227FADBEB33AB314DEC8398B4435817C6CF1609117562E50B712E15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000524Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:40.226{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=050054D9CEDFF744DC128C2E01847C93,SHA256=BB453F275239E86F74431BDD09F49915F42E3BC3FCE3D9D2DC5B0E614FE55583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008000523Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:40.226{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A5074C97597B38A870D5E7E3E3A0BB0,SHA256=80E9E6480A12018A4864AD14EFAD14FF8CF4904A99ED710CF4CAAC10A476C239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902374Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:40.861{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CC761003FD1AC3D58D55B946C0ADBA0,SHA256=6EF83F937E5BCA478D69EDC90F5A029F0BF512ED581E1D267BE01A369397DA61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000525Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:41.601{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=037DE1F671BEF4E191C49E00796CDEC1,SHA256=B9D7C2792FAC33BF0EBDD91C284C94F5D4AF2D368CDE2D7A688029D5010C94C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902375Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:41.892{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46914F4DDE2F4A6A66A311EE18662CD2,SHA256=38B8317981C07D850897969BBDFE69831DFC95F63F55D921FDA5FFD91D9494A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000527Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:42.961{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0653B416A389110F33E6920369AD56ED,SHA256=B30A71E4852C54B5B94857AEFEAAF5069D3A3360ADA806AEF134D47E683E4B8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008000526Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:42.539{3BF36828-DD0D-60DD-1200-00000000C801}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F548BB949A679E73F619E09B88F9BF23,SHA256=8BE4A20170ED6CDF2B145F6898E248A63259E2FEFEA3CA566B5D709E79397601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902389Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:42.939{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E3C29B0D4324284EF12E5F3DE95D58E,SHA256=10FB6943A4B0DD048E8CAE9B3A02B7ECF9C57A95B6C1C1F83EBAEF4C87D6F09F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015902388Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:42.783{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EC86-60DD-A92A-00000000C701}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902387Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:42.783{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902386Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:42.783{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902385Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:42.783{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902384Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:42.783{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902383Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:42.783{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902382Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:42.783{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902381Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:42.783{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902380Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:42.783{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902379Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:42.783{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-EC86-60DD-A92A-00000000C701}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015902378Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:42.783{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902377Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:42.783{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EC86-60DD-A92A-00000000C701}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015902376Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:42.784{B81B27B7-EC86-60DD-A92A-00000000C701}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015902405Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:43.955{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A89277E982573DCB726EBC4B45D7520,SHA256=EC6772A2FA4EB22EE904E41F041A8B8BE17F2602107109E517EBF11B8CDD5C87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902404Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:43.955{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DDF7C9255D76A43BE146F2AE3965935,SHA256=225F0DC0A4100E07BF703F187EBD8F1EEA2EF895C6DD7A176578F387C6D1CF72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902403Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:43.955{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4167BC40D338DD2D589CFA555B130EF3,SHA256=3CCF217C9CF9549D17721621BC5F5140D95FA992E15608CA110B56E16B7B3E90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015902402Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:43.455{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EC87-60DD-AA2A-00000000C701}668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902401Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:43.455{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902400Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:43.455{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902399Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:43.455{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902398Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:43.455{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902397Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:43.455{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902396Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:43.455{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902395Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:43.455{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902394Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:43.455{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902393Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:43.455{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902392Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:43.455{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-EC87-60DD-AA2A-00000000C701}668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015902391Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:43.455{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EC87-60DD-AA2A-00000000C701}668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015902390Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:43.456{B81B27B7-EC87-60DD-AA2A-00000000C701}668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000008000529Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:44.336{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=990E865953F55479B804D38655C96F99,SHA256=DFE2E26875B3326375BA135C5DF182DB30422E69BEC67069FD33F17385BAD261,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008000528Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:41.385{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61149-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000015902420Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:42.352{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52162-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000015902419Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:44.267{B81B27B7-EC88-60DD-AB2A-00000000C701}41725100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902418Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:44.127{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EC88-60DD-AB2A-00000000C701}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902417Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:44.127{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902416Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:44.127{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902415Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:44.127{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902414Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:44.127{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902413Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:44.127{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902412Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:44.127{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902411Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:44.127{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902410Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:44.127{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902409Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:44.127{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902408Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:44.127{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-EC88-60DD-AB2A-00000000C701}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015902407Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:44.127{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EC88-60DD-AB2A-00000000C701}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015902406Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:44.127{B81B27B7-EC88-60DD-AB2A-00000000C701}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015902422Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:45.346{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DDF7C9255D76A43BE146F2AE3965935,SHA256=225F0DC0A4100E07BF703F187EBD8F1EEA2EF895C6DD7A176578F387C6D1CF72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902421Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:45.111{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F25FC18A1204203FA924577702372D02,SHA256=217C5F2FFE13F4AC1E979D5D7673390F120DE9B0EF0C5568F4CDA987B7603114,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000530Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:46.351{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68EBFED8F6A7E4B97DA0C26B9E478AA3,SHA256=3D4421E6497B8EB704AFB3540902883E4EBA2896EFB9953D5291692CA266A861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902423Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:46.127{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3585BD140B4EE5632E54147B8CEC33AB,SHA256=9F95F90449412BFBEBAF667ECFA4D2FB67F65CC450B6E2EBBD05C76E09438824,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015902438Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:47.517{B81B27B7-EC8B-60DD-AC2A-00000000C701}52082324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902437Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:47.346{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EC8B-60DD-AC2A-00000000C701}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902436Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:47.346{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902435Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:47.346{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902434Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:47.346{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902433Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:47.346{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902432Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:47.346{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902431Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:47.346{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902430Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:47.346{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902429Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:47.346{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902428Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:47.346{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902427Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:47.346{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-EC8B-60DD-AC2A-00000000C701}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015902426Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:47.346{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EC8B-60DD-AC2A-00000000C701}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015902425Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:47.347{B81B27B7-EC8B-60DD-AC2A-00000000C701}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015902424Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:47.142{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=011B086364D03F76909CA4D9695A9628,SHA256=7987A185EEB8386665A58403ED0A3456C62EECF8160A6BF36A44FF36768F0761,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000531Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:48.376{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE255E0BD44CC12AD064A32E68DACD3D,SHA256=2D2BB1D4CFF2E154912985DF2739216110FF55FD7B946A29119A0CCE698B8507,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015902496Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.855{B81B27B7-EC8C-60DD-AE2A-00000000C701}6645912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902495Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.698{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EC8C-60DD-AE2A-00000000C701}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902494Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.698{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902493Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.698{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902492Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.698{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902491Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.698{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902490Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.698{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902489Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.698{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902488Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.698{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902487Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.698{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902486Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.698{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902485Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.698{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-EC8C-60DD-AE2A-00000000C701}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015902484Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.698{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EC8C-60DD-AE2A-00000000C701}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015902483Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.699{B81B27B7-EC8C-60DD-AE2A-00000000C701}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015902482Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.480{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE3457FB91284E73492CB8B3A2332FE7,SHA256=6A1818CA378916A016B91DE867FDAF2853C483647E28E2856232345032AD98EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902481Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.480{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98E62C69121888E90C2A2CB5D8767F17,SHA256=90755BDE9D386C011EAFB91F3E21ADE0991649BD0238B05D756D43DABD1854FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015902480Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.370{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902479Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.370{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902478Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.370{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902477Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.370{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902476Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.370{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902475Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.370{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902474Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.370{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902473Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.370{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902472Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.370{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881F-60DC-8000-00000000C701}4556C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902471Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.370{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902470Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.370{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902469Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.370{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902468Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.370{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902467Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.370{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902466Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.370{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902465Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.370{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902464Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.370{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902463Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.370{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902462Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.370{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902461Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.370{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902460Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.370{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902459Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.370{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902458Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.370{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902457Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.370{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902456Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.370{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-881E-60DC-7F00-00000000C701}4332C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902455Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.370{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902454Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.370{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902453Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.370{B81B27B7-880A-60DC-0D00-00000000C701}796816C:\Windows\system32\svchost.exe{B81B27B7-888F-60DC-AD00-00000000C701}5064C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902452Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.151{B81B27B7-EC8C-60DD-AD2A-00000000C701}1004572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902451Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.017{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EC8C-60DD-AD2A-00000000C701}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902450Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.017{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902449Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.017{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902448Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.017{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902447Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.017{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902446Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.017{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902445Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.017{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902444Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.017{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902443Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.017{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902442Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.017{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902441Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.017{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-EC8C-60DD-AD2A-00000000C701}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015902440Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.017{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EC8C-60DD-AD2A-00000000C701}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015902439Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:48.018{B81B27B7-EC8C-60DD-AD2A-00000000C701}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000008000532Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:49.438{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29EBBD44F081D777FDE786B7AB8526D7,SHA256=A59156DF88974103FFBD5BD520967F6155B47D8FD2880D8B4111DF5096733BAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902511Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:49.933{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC42F3BF4AA73DD68DA51E3B029584F0,SHA256=7E4D55A15B1B86E1E8A4DE1A846A56C2E6FC874E4BB46BED00AC24F292C1C09F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902510Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:49.667{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3230F779D9A32CA48A163EB676313E30,SHA256=C59C99930598D26A6FB633DEA6EBB2D5DA87C7B7B7B0C60ADF6D5A17B2CBE39C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015902509Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:49.370{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-EC8D-60DD-AF2A-00000000C701}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902508Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:49.370{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902507Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:49.370{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902506Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:49.370{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902505Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:49.370{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902504Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:49.370{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902503Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:49.370{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902502Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:49.370{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902501Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:49.370{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902500Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:49.370{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902499Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:49.370{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-EC8D-60DD-AF2A-00000000C701}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015902498Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:49.370{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-EC8D-60DD-AF2A-00000000C701}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015902497Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:49.371{B81B27B7-EC8D-60DD-AF2A-00000000C701}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000008000534Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:50.813{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EB6CED0F803CD817D9A88906208DF99,SHA256=CA0BF3F1CB7DD1085D964FAF8738217BFDD701DF16BA5EA9AD0754AF52629918,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008000533Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:47.315{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61150-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015902513Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:50.401{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=807B24B682C2C1F5099FF776952CAD98,SHA256=10A88C36BA755719E4EC9F7775030BFD030D9B064D736BC699A484BEFEBF55C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015902512Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:47.423{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52163-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000008000535Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:51.501{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=024CC33DAA81731CA5BD18045621AC25,SHA256=61ABB3EF55C1C68D38D681E3D3650E266CFE2CC70F1F063EECE5145A80F66EB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902514Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:51.433{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACCA90EC250F6981BDF5FB19959314DF,SHA256=37C74E66BEE8DD654B93AA2E60A0A2C4A15286F10EACB04B4749B9F190658B84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000536Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:52.188{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE5E8C5D9E25D2541E5BEEAD9B764370,SHA256=3AE893C5AE951C460628B88C8BD5A5C5F260B89049C79A0DABE6A5869C7348B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902515Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:52.433{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A4484F411B2BBFDBB0F3C3E6F806630,SHA256=89BDD288D837CFFE46D3CB9C0D242E4446155587B7ABB062827C5C6964387E27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000537Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:53.548{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B9D270994060A6D73288D368714E97A,SHA256=07FE644163D788AFBE8C77DDC3B7BACF9B1455EE5967EF3953CD2ADE6AB9F2B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902516Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:53.464{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=646B10B51BD8BC902441D8CC6737B93B,SHA256=1ED81C8E95A490446A31294FCF3482C1D77F2DC7D01BB0560404D763EAE99777,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000538Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:54.907{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22A42E79393E510B2E58B6672F96C9BE,SHA256=E2A7412AAC5666FFBA51324E7164E328DE6A4CBD70FE18CD95E505CE31D6EA0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902517Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:54.683{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76ACFC03315A9B27CFC09A5D4083990E,SHA256=AAD1C6AB9FDC06F5CA99E92850E14AFC53FFB63FAA9AA31C66912A85FC69C098,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000008000539Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:52.424{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61151-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015902520Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:55.698{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD85F4B90F94B78333C98FE160ED777,SHA256=364335F6D71FBCA2A8A16CFEB82C2AF49ADC0A26C0444311EA936E26274EB519,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902519Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:55.511{B81B27B7-880A-60DC-1000-00000000C701}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F5360084E06AE914C44D031CC7C7ED49,SHA256=ABE71B058381708F68D0B81F70E1938CC7779BB6817C0D95CCD6AAE4B6B1D865,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015902518Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:52.470{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52164-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000008000540Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:56.282{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCBDF56F273CB4A33DB6754AC3136803,SHA256=66A1B30CEF59D9E64FEE91E41FC8B38C40F843C5A8F421243902D0F392C1FD88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902521Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:56.714{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E63E21841DCC7F57871391DD0217E9,SHA256=5C4B24464CEF1ACFA2D7402AFC0F918636F85049CA62E956C29CD26473E27D23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000541Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:57.641{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37941700F645C9C696605B6DE54E10FA,SHA256=A90A6BCEC754FD3576413BA5FEBB438807DF3487EB280349F23223C6F8F8802D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902522Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:57.730{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F43B6C73C26343DDF7657EC58D829C3,SHA256=78C6E41B1CBAE90468FC10BB946328366DD82C2DE95239C1C460539F62EDC60F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902523Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:58.745{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C285945CD5FF858C4957884AEA129B3,SHA256=BCE657E8289DA43CA2B14FA1EA6B3F72BD7210F2E28D1EC707115F558EF3D738,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000542Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:59.001{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=222BB71889904B0A830549DCEF674717,SHA256=A4B44C7F02C54D9A6C1D34AB1506102BE18131D5CF05436E94C9544A31C0B463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902524Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:59.777{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7CB5860143F55DCF85D1A3B8B29D83,SHA256=1A66DB8344AA55FB102C0C1D14B8F666C9A5EC47BDFBD9A118330A5AF3BD1B03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000544Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:00.376{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A652AD08546E8726D7817CF906278C4,SHA256=0D0228C999C525FFA742E86150F2691843468A19980AECF9DC0E3AFDA77F5CB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008000543Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:00.376{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B5E12960A3DB4A9A19A02021D61BCB1,SHA256=274C7B576A3BB9D41B4EB7528458EE0B5EBE00D9CC8D2970321A9224667704E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902526Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:00.792{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3E954D250BB1BD9CF22B65858F7CD3,SHA256=97A02739311544A4C2467862D8B0CA2797960B1CAE4AA29F9C756316F868F651,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015902525Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:25:57.517{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52165-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000008000546Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:01.735{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB40EE25AE343C30BD2AE5712749CC6D,SHA256=2DAB367B345E85B23D4656727C3FEFFB766786B0EB3FBBBF47711A198E6620D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008000545Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:25:58.362{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61152-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015902527Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:01.808{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98BA3E8A69C568B3E4CC9C7CED3EE3A1,SHA256=6BF03448804875B044A29B8111F9C93A8FEB631A5F3A2F8E1EA21159B78AE575,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902528Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:02.823{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5800ED80AF40F0314126465A506C2752,SHA256=13C59D2B02060919612F6FF1D49D7E8868ADB04C333AF1F7899106E93F82E18D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000547Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:03.095{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68FFD5EFC76A504874875D79CA9FF3C7,SHA256=15F0CA5C443ECFF4292ECB28FAF61E57F4D617C32BDABCAF6BD9039161E96BE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902529Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:03.855{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86AA789DF9D55180EDD606A93DB8FB3F,SHA256=5BB7C0773FAEE952F67B5120C715B7D6BDD3842BA280CD384C8593EF949AE181,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000548Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:04.471{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=243075198E2BB55CE329C0229A94A511,SHA256=81B6A3B642634C7D4A77E5E1C845446E64CCF131DCCF7AEA705550C75EED1783,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902530Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:04.886{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=137E1E62E7FC416A4C637E76C20F59D4,SHA256=4B33E4C7EA35A8EC9C3AB7FA9B6E1B6C66779C87FF95B1438FEC1ECF414627D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000008000550Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:03.394{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61153-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000008000549Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:05.843{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD691DBA0805A4165971E8BFF95BB550,SHA256=109E57FAE4BD66287ECEF6683F55B8FA3DF3F725A5F7A8748A852E73E8F37E1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902532Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:05.948{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34120AEB31E46A28144E97787E4B7801,SHA256=6DD9A859ABA2FF090BCEBD86B80D28DD261EB6943BB64264D8505AACEB264A4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015902531Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:02.533{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52166-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015902533Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:06.948{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE915FB5A1F058D7CCF17E6B1DD9BD1E,SHA256=A3F5E064418AE92EE285E3119B9DE0688A4243723424FE7CF708DCDD65BA2716,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000551Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:07.206{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591267D5FAAD90E6C8E09E9F57FE8C07,SHA256=592851449F29B745CC90DEE8950C724B9874E65BBFDA47D57CB1FB0D7240F274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902534Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:07.964{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F5A2F431219AB7B0BB77DD0FA52254,SHA256=CFD4D1D7D077D0F1558EABDA2EFDB514EDE8AF6BA774A852703419E37520648D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000552Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:08.568{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D60D3E9B5107D0B850219E48F7B0BCED,SHA256=16DF181DE01497A783EF2B2F0F07332BE06DBDB1C4D07F1F86061B38B71786B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902535Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:08.969{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60DAE668639234FC6B39FE3401285025,SHA256=57EB32CDE86DF3E1B82AC7A6F475B607E1EDE894F53557B49547A956166128D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000554Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:09.943{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C4D37C5128D6FD65D7D12F6E987189,SHA256=CDCA483EF60F5A634677E975A92C1580388944E11BD88AD3E0DF493AE8C25D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008000553Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:09.255{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABB25C19ACDBC66088BEEF69F31190D6,SHA256=0B2FF599B6E5FDDA384FD639DA08642D4B6EE2799FD942EB7170451D7006CFC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902537Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:09.984{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1A3B0537B1ADB64DF0083754136A653,SHA256=3FDB3881B36B2988CF8CEA452EBB47B894731D85255F5FFE9980AF09C3F7C5AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015902536Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:07.537{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52167-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000008000555Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:11.318{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A61B7FCEAF3C246B082E246AA78EE17,SHA256=6783AA68C9F2911EBE76B7646C3654650D3C949AD9A200A3EB0282F10912C00E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902538Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:11.016{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C357C0C69C9E2D034B5AB55FC81A0592,SHA256=3D2A8E775528BA785A57DEAD0CAC67D8A6021F084358978BE914313ED10787F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000008000559Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:10.929{3BF36828-DD0B-60DD-0B00-00000000C801}652C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61155-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000008000558Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:10.929{3BF36828-DD1D-60DD-2F00-00000000C801}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-128.attackrange.local61155-true0:0:0:0:0:0:0:1win-dc-128.attackrange.local389ldap 354300x80000000000000008000557Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:09.241{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61154-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000008000556Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:12.677{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A8E4CA2C8D6B65DE60EA895561BDBC,SHA256=992D265C6E5A50E0D66651C02208D75141A142521FA9FEBCFC0F963029291382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902539Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:12.017{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1E62E2CB378E1081B06314F8CA7FE78,SHA256=0FC79DA9C86F6B8ACBC20E55595261B4FDB86ED412E54402D5B7FC9FB97D42D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902540Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:13.030{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66242E3E954B4495A1E77B78EE1A42ED,SHA256=4C7FDBE6DABDD38CEE34F35AE7BDCE295E7E8F046F071F483037645A89192B96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000560Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:14.037{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA06AE2AB61209B94E982B581B6BEF23,SHA256=C562AEC11E40846FCAED0F518DBED08D09533C41AEAE146D655116A728B70281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902541Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:14.033{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AA27F8A66F0E311CA9891E7C68EE6DD,SHA256=958E309778DE07AE58AA37796E4BDE0E904B30A7DF48D95A1E3279E4258D1E78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000561Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:15.427{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0B07431FD7494F4360CE7333072543A,SHA256=398344E00305D3D26FF397A672F29B7B6E189C591D720DA8A4A551C1968E129A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015902543Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:13.336{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52168-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015902542Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:15.095{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D245928B0A8F6CF8C8AD2137CAE3D81,SHA256=873ED6890C4404D17AA4E812B13BFE097E008D767C62AA0CFCA310539567BC7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000008000562Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:14.350{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61156-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015902544Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:16.111{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45DA04C7663D462149D03340DF2EC5E9,SHA256=F221052F5B8D217C85140D2D0C1603F3E91F1479DEA51FDE4AA827E7C9079E64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000563Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:17.443{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44F1451B01CE32BA88A7A3AD77706280,SHA256=E1F83925B11EA7B69DC2EB8174AF72B6CBFFA278A982F14879ACFEBFBBF666B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902545Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:17.111{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE37E14451772506EC91927243B01F64,SHA256=B89F1959721F1971811875275128CA25D3A7A9714263154A351DBCFE51286E78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000564Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:18.458{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59EDD322A96B2DC96427117D8D09461A,SHA256=2E28B05D4D0538673D4C29C0F1F6E611CCB48DD1E8C4CA06A0B036A04D9D73F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902546Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:18.111{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=703634019E74F4320E97A30371A5F130,SHA256=F3E9BD796CD2E414E9ED0C48D3C23113E25E2069331319A0B4E445B0803410D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x80000000000000008000667Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.958{3BF36828-ECAB-60DD-9D02-00000000C801}37643320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000008000666Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.958{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000008000665Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.958{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000008000664Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.849{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000008000663Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.849{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000008000662Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.849{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000008000661Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.849{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000008000660Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.849{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000008000659Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.849{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000008000658Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.849{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000008000657Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.849{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000008000656Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.849{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000008000655Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000008000654Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000008000653Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000008000652Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000008000651Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000008000650Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000008000649Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000008000648Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000008000647Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000008000646Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000008000645Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000008000644Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000008000643Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000008000642Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000008000641Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000008000640Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 23542300x80000000000000008000639Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81EDF5F3338A6AFA5C2B001C477A4DB5,SHA256=004AE5AB7DDEBD6247AF2C39146BE74FF9461BDEE17C81C0A1A0AECCB6DCF1D0,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000008000638Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000008000637Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000008000636Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000008000635Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000008000634Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000008000633Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000008000632Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000008000631Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000008000630Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000008000629Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000008000628Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000008000627Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000008000626Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000008000625Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000008000624Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000008000623Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000008000622Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165trueSplunk, Inc.Valid 10341000x80000000000000008000621Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000620Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000619Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000618Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008000617Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.834{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008000616Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.836{3BF36828-ECAB-60DD-9D02-00000000C801}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000008000615Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.271{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000008000614Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.271{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000008000613Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.271{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000008000612Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.162{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000008000611Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.162{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000008000610Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.162{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000008000609Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.162{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000008000608Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.162{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000008000607Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.162{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000008000606Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.162{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000008000605Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.162{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000008000604Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000008000603Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000008000602Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000008000601Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000008000600Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000008000599Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000008000598Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000008000597Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000008000596Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000008000595Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000008000594Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000008000593Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000008000592Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000008000591Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000008000590Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000008000589Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000008000588Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000008000587Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000008000586Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000008000585Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000008000584Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000008000583Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000008000582Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000008000581Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000008000580Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x80000000000000008000579Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000008000578Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000008000577Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000008000576Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000008000575Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000008000574Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000008000573Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x80000000000000008000572Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000008000571Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8trueSplunk, Inc.Valid 10341000x80000000000000008000570Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000569Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000568Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000567Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-DD0B-60DD-0500-00000000C801}420436C:\Windows\system32\csrss.exe{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008000566Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.146{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008000565Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.148{3BF36828-ECAB-60DD-9C02-00000000C801}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015902547Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:19.142{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B325E85261968D4F7EB78D307F6E049F,SHA256=A71EB04CB2F349C9BEAE9159CF1BE560F4D20B179E8843F63AB788539ED1804F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000668Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:20.521{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EAA52B6411C8B8FB15FE0E4BE882173,SHA256=8E0D7D61A3B8C676CAA7A4EB87EB29D58FE0159CFDA50D17D02A9AD9C684F9D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015902549Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:18.414{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52169-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015902548Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:20.205{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB0E7BFEAAE2F02A1FFCF3561796304,SHA256=C8636A944BAA69989F79E33A7003BE345E6186E4185F87FB92DFA9610B1A0CA9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000670Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:21.334{3BF36828-DD1D-60DD-3000-00000000C801}2540NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008000669Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:21.224{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=119DCE4D2A894FDD14579E1304C74AB0,SHA256=F09C9572A22255D68583A6B69751903A77130766F0A8F736E29ADEEDE548F1C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902550Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:21.236{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A1DD48DDF978A824E5896252528BFD2,SHA256=0DE33CC0B1E14E1064762F42B684429779B79E4ABC0E8DC6D016BB11444D57C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000672Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:22.630{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=650BA91862B28C6F5D7CE742454374BD,SHA256=DAC84FA746E6653487FFEA6A3339CB5097F3AD46395C3D47DFB0592A83D00CE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000008000671Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:19.397{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61157-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015902551Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:22.267{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE25A16394C11AF12EAF3AD5AD679378,SHA256=D3FFDFB0E6257E22826E7079047BC88AD98D26E4FF49ADE2695F59D732A4EB9A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000008000673Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:20.506{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61158-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000015902552Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:23.283{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCBA6493DB740296C8617939221E6827,SHA256=A678E7B78B019B90C21188F4337D0F9673B0DB4AE52D2B57AF5472FD4F7FF347,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000674Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:24.052{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77159DAF1E550C3DDEBB13D085FB4B1A,SHA256=BDD718CE7052D092545943D0D3FA3D85F93398E942B72FAD4A0086F07B271A1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902553Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:24.299{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3669D79669C31FFE0A241A5ED945958E,SHA256=0B0C0C8D2FFF9B72B73767B0BD5C8F4CDEAEC1E1691223BDC64A3A60C93EBE6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000675Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:25.412{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7021D22D4841CB1B403A200F1089E6FE,SHA256=DEDF176836FD7D59EBA8E23550341BC3ACED384E39C49BD9B3FB3D7D622C0E72,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015902555Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:23.445{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52170-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015902554Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:25.345{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DE9026F50EC7AD8513555EA48D209A2,SHA256=A61B19F662ECD6DFE5F04748EB60491A16246CD3EF0736C5FE9FB4EA2FF71FE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000008000731Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.912{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000008000730Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.912{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000008000729Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.912{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000008000728Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.802{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000008000727Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.802{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000008000726Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.802{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000008000725Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.802{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000008000724Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.802{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000008000723Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.802{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000008000722Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.802{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000008000721Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.802{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000008000720Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x80000000000000008000719Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000008000718Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000008000717Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000008000716Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000008000715Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000008000714Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000008000713Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000008000712Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000008000711Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000008000710Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000008000709Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000008000708Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000008000707Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000008000706Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000008000705Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000008000704Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000008000703Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000008000702Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000008000701Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000008000700Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000008000699Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000008000698Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x80000000000000008000697Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000008000696Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000008000695Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x80000000000000008000694Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x80000000000000008000693Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000008000692Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000008000691Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000008000690Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000008000689Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x80000000000000008000688Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000008000687Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000008000686Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000008000685Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000008000684Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AECtrueSplunk, Inc.Valid 10341000x80000000000000008000683Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000682Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000681Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000680Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000679Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008000678Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008000677Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.788{3BF36828-ECB2-60DD-9E02-00000000C801}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000008000676Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:26.787{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4A1E4B0B3DE77AEE1D35699133618E9,SHA256=C8538D6C0AA923968316F614AB626EF20625029522BDD8225524F970E764B6D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902556Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:26.392{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=091CBD2AE7BB851A6325ECFA24D5414E,SHA256=657FDCD12FA39D3730522621E8DD3298EE3D9269D8D25ED8F94962BCE0BDFE3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000008000782Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.583{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000008000781Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.583{3BF36828-ECB3-60DD-9F02-00000000C801}10763748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000008000780Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.583{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000008000779Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.583{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000008000778Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.474{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000008000777Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.474{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000008000776Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.474{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000008000775Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.474{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000008000774Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.474{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000008000773Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.474{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000008000772Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.474{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000008000771Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.474{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000008000770Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000008000769Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000008000768Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000008000767Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000008000766Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000008000765Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000008000764Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000008000763Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000008000762Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000008000761Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000008000760Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000008000759Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000008000758Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000008000757Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000008000756Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000008000755Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000008000754Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000008000753Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000008000752Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000008000751Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000008000750Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000008000749Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000008000748Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000008000747Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000008000746Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000008000745Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000008000744Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000008000743Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000008000742Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000008000741Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000008000740Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000008000739Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000008000738Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000737Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000736Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000735Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000734Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008000733Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.458{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008000732Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:27.461{3BF36828-ECB3-60DD-9F02-00000000C801}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015902557Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:27.424{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D06165A4286096B8258F1003E3512539,SHA256=A883C3F1D03A6D6145CEA2619AD68999E167B85154E584CC057EF5C75E083A04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000008000888Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.944{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000008000887Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.944{3BF36828-ECB4-60DD-A102-00000000C801}5964364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000008000886Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.944{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000008000885Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.944{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000008000884Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.835{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000008000883Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.835{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000008000882Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.835{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000008000881Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.835{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000008000880Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.835{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000008000879Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.835{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000008000878Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.835{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000008000877Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.835{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000008000876Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000008000875Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000008000874Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 23542300x80000000000000008000873Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5716857B258510CE633F41D1356C25D0,SHA256=F624C1B06EBA5DC7F079C659CB239E14FE17F786DF64857229DA151B6C81DF40,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000008000872Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000008000871Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000008000870Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000008000869Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000008000868Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000008000867Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000008000866Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000008000865Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000008000864Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000008000863Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000008000862Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000008000861Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000008000860Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000008000859Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000008000858Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000008000857Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000008000856Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000008000855Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000008000854Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000008000853Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000008000852Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000008000851Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000008000850Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000008000849Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x80000000000000008000848Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000008000847Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000008000846Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000008000845Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000008000844Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000008000843Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25trueSplunk, Inc.Valid 10341000x80000000000000008000842Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000841Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000840Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000839Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000838Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008000837Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.819{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008000836Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.821{3BF36828-ECB4-60DD-A102-00000000C801}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000008000835Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.272{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x80000000000000008000834Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.272{3BF36828-ECB4-60DD-A002-00000000C801}15761980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000008000833Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.272{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000008000832Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.272{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x80000000000000008000831Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:25.287{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61159-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000008000830Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.163{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000008000829Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.163{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000008000828Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.163{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000008000827Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.163{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000008000826Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.163{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000008000825Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.163{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000008000824Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.163{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000008000823Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.163{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 23542300x80000000000000008000822Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AC6C7BC69A49A849BB2858D4A6DE996,SHA256=F6A7BDF635C3224031FF36D4834223DFDF1796DFAE9BB689D6CEA23F8005FE81,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000008000821Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000008000820Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000008000819Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000008000818Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000008000817Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000008000816Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000008000815Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000008000814Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000008000813Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000008000812Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000008000811Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000008000810Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x80000000000000008000809Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000008000808Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000008000807Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000008000806Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000008000805Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000008000804Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000008000803Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000008000802Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000008000801Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000008000800Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000008000799Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000008000798Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000008000797Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x80000000000000008000796Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000008000795Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 10341000x80000000000000008000794Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000008000793Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000008000792Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000008000791Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000008000790Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1CtrueSplunk, Inc.Valid 10341000x80000000000000008000789Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000788Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000787Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000786Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000785Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-DD0B-60DD-0500-00000000C801}420548C:\Windows\system32\csrss.exe{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008000784Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.147{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008000783Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:28.150{3BF36828-ECB4-60DD-A002-00000000C801}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015902559Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:28.892{B81B27B7-880B-60DC-1F00-00000000C701}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9D45E1BDB6F237A6CF51FFC6A12E6130,SHA256=87EEE278CDF62B2B86AF9CB87BDB04BAFB10272CEA175D83979B0C43158C5AB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902558Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:28.439{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9086200750E7FE11CAD28FFB0049E0C7,SHA256=62C36745C7C95333159D5587473A4BDF84380CF1E25345E0BA5F74201801E19D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x80000000000000008000940Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.632{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x80000000000000008000939Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.632{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x80000000000000008000938Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.632{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x80000000000000008000937Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.522{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x80000000000000008000936Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.522{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x80000000000000008000935Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.522{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x80000000000000008000934Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.522{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x80000000000000008000933Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.522{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330,IMPHASH=050C8F7AA588BF04847F59B2EFAE366AtrueMicrosoft WindowsValid 734700x80000000000000008000932Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.522{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x80000000000000008000931Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.522{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093F,IMPHASH=2D83F1DFF12EFB449C1FCD6634700369trueMicrosoft WindowsValid 734700x80000000000000008000930Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x80000000000000008000929Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x80000000000000008000928Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x80000000000000008000927Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x80000000000000008000926Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x80000000000000008000925Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x80000000000000008000924Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x80000000000000008000923Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045,IMPHASH=2005807FD04567B79F4109D23F9E6018trueMicrosoft WindowsValid 734700x80000000000000008000922Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7,IMPHASH=86B04733169A315F437478D1C9AA6193trueSplunk, Inc.Valid 734700x80000000000000008000921Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x80000000000000008000920Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x80000000000000008000919Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x80000000000000008000918Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x80000000000000008000917Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25D,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x80000000000000008000916Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x80000000000000008000915Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x80000000000000008000914Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x80000000000000008000913Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66A,IMPHASH=06C8C57E25207671F4639FDBFA0212ECtrueSplunk, Inc.Valid 734700x80000000000000008000912Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x80000000000000008000911Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 23542300x80000000000000008000910Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69154E81E277308E13C74768987FA0B1,SHA256=17169BFC26D64B00374C1606E986B84FA5B4964B7572AC30B6A536FAA81B8C2C,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000008000909Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x80000000000000008000908Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758,IMPHASH=EB45E6A4165ECBE63E7CA7D14DE0BD8EtrueMicrosoft WindowsValid 734700x80000000000000008000907Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x80000000000000008000906Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x80000000000000008000905Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484B,IMPHASH=D2F471BB25AF6310EB67BD4EA99B4DBCtrueMicrosoft WindowsValid 734700x80000000000000008000904Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x80000000000000008000903Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x80000000000000008000902Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000008000901Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x80000000000000008000900Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-DD1E-60DD-3800-00000000C801}34403460C:\Windows\system32\conhost.exe{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000008000899Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x80000000000000008000898Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x80000000000000008000897Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EE,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x80000000000000008000896Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748trueSplunk, Inc.Valid 10341000x80000000000000008000895Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000894Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000893Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000892Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-DD0C-60DD-0C00-00000000C801}8642548C:\Windows\system32\svchost.exe{3BF36828-DD1D-60DD-2A00-00000000C801}2100C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000008000891Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-DD0B-60DD-0500-00000000C801}420376C:\Windows\system32\csrss.exe{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000008000890Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.507{3BF36828-DD1D-60DD-3000-00000000C801}25404140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000008000889Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:29.508{3BF36828-ECB5-60DD-A202-00000000C801}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3BF36828-DD0B-60DD-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{3BF36828-DD1D-60DD-3000-00000000C801}2540C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015902560Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:29.470{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=154927182A50320C48280D3282C202E1,SHA256=1A7E51C5A1C473975F0BC91D1BAE681F76913ED0F964644F18D989362B025275,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000943Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:30.944{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F662E211A784344533883EEC7E693186,SHA256=3385E1C636CA24F1A24F0EC143FE71A4CB05DD7A92A6F7C4174F1E2EE222103F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008000942Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:30.944{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3ED1D793BCB84A04F62DB27A6F135FE,SHA256=D3C8CE61821B1C18AB6DE4B20EAA809043D6250917E57899BA346D2605B9B5F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008000941Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:30.194{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2988BFAA2BD573547744439DDD359FC1,SHA256=47E74F51E4451C6F0B93295EED9E5E30ACC9F8387C0DCDBB9A9794FD61407B12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902561Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:30.470{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C213AFBDCC88D1E54AFEDCA643B0569,SHA256=9C82F4B407395E744019756838648F149AF1E4F3F8349C485576898991A752BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902563Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:31.533{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB2F849765C7A92118CD2A3D486B6F8E,SHA256=E5D7465D9FA0B4638348E26AAC93CB2604A34DC611D7E41273EA801EFE1A4AB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015902562Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:28.179{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52171-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x80000000000000008000945Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:30.367{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61160-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000008000944Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:32.429{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7C147C2C08DDE46815BECCC87BA859,SHA256=B938D69C8D347CDB1A7FC4CD499A347DF61177FFE8CB5D954D684C97F17AF41E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902565Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:32.579{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5204764E68B2747C555D9DE8A1E8A5EA,SHA256=058D32C47B4CA1C41D3BCB91462C1987D59F031CC8AFAD60157F4212BB62593A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015902564Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:29.492{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52172-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000008000946Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:33.913{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09F2A5DFC0FFFA4B8285589813B2CCF0,SHA256=8D6F62D6CE2E5A887F7630F829EF91064B2B0056BDA01AC7F409455908E2A792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902566Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:33.595{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7178B44C8D56812A8A03CCCC36870316,SHA256=D705DCBF6B1413D6A91ADC7F643532C95F747BA8BB242AF2744AC41FFC49C0FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902567Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:34.595{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=517D5147A80892BF2EDFD4BF86AC924C,SHA256=52EADAB50A930055A057B863C479ED90D93B95BC2FA9548AC3931EB76AD7999B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000947Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:35.272{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA4F7535E3E4FEB55E2884ED4C1DC564,SHA256=066887BF8A559C11245F1209F9712C3398798A99D4CA50C6DF07806FE03B92F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902568Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:35.626{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F0B61C0B4A4247F32DCB57E4906E176,SHA256=714D65DE7059F9897C15C5C2C3ADD9069762EB36D5E99288DF88684D05E1AB94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000948Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:36.647{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAB77D8BC31C2472FAAA1AA47FD6B123,SHA256=79D9C41AD2465A00FF32545E91C416DF87103CB1B9C2EBDB015391AA4BBDF7AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902569Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:36.643{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16B000719F478A3D32DFA4B641E78EC0,SHA256=7197191E0FED3D864B98ACA5C3C834A034983DD1B1FD019FD3A60E97CB86B67B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x80000000000000008000949Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:35.367{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61161-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015902571Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:37.659{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=232A6E6577A7E986A988CA09A7A1B936,SHA256=E4D3CB0015D70B28A0CA948A0749C8134C9FE9682DAE949DDBBE9F4F1515E508,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015902570Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:34.507{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52173-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000008000950Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:38.007{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0BFEC3C5BB3485BC5E462502BA0AF63,SHA256=DFB6182EC84216E117F9A5D96CE7A692E0561CE50198E6F55191055C48FE432C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902572Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:38.706{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB91DA27BADE963A90D12F1468F9591D,SHA256=D380BE057E5D6185AE66B7A6B1F9911EAC8544548EC311AA7F73199BF294360F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000951Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:39.366{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C0E0CFDC534295A4B44F834635C44DC,SHA256=AA00F41EB66B6DA4C96711BF4839FE8DB76FFFAD017F54468711DC754C734C69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902573Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:39.722{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A2C4D6B83A1AEE89EF1A7F82E78424,SHA256=F02D8CD6D95B9B887D2D515367CA64F2F2FA4F4264122A354288804EB900FB5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000953Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:40.741{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02031C34487EE68799D515CF716AB0E1,SHA256=64D6BB1C4C092B2714F4CBDA566046950F22EFB4B42A245F04297BE4906B50EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008000952Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:40.054{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B7EBA795A3C195969FE28E91854C655,SHA256=3AFF69AB5232720610ED5BC4678C5B7F15DA629EA410002FE600230B2FE3769F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902574Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:40.753{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AEFB687C42715B420AE36AACC29E06E,SHA256=1D681C2615399057A4B0BC891A7BCADB657CF971D82A3130C28766AEED1E7CD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902575Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:41.816{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CFDB621EEBF578A9FE18C35DEFEA27D,SHA256=D47971215D9D8ADC8FA6241E75EAC1BD2A590D5276B90785428BE3F99524D4DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000955Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:42.554{3BF36828-DD0D-60DD-1200-00000000C801}396NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3226DF262467D892685A0A6D32593AAA,SHA256=AF32F9C055F969745D0E4C728C5AA836FB93A6D43386DB3F24CEABE389753E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000008000954Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:42.101{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63EE7DFFD2EF067D49DC35DF95D64870,SHA256=0C6810BFF2A5C0A9E3F0C5EBFA6C9F67898D062B89649472901111CAE6052C52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902590Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:42.847{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B820E00867C07AFBA013629E3D98C93C,SHA256=F6FC71EFCA71D8DC9D377D7117287D5788F72C3804857FDBD5043EE923EF3C93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015902589Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:42.784{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-ECC2-60DD-B02A-00000000C701}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902588Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:42.784{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902587Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:42.784{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902586Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:42.784{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902585Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:42.784{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902584Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:42.784{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902583Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:42.784{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902582Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:42.784{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902581Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:42.784{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902580Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:42.784{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902579Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:42.784{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-ECC2-60DD-B02A-00000000C701}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015902578Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:42.784{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-ECC2-60DD-B02A-00000000C701}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015902577Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:42.785{B81B27B7-ECC2-60DD-B02A-00000000C701}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000015902576Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:40.507{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52174-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000008000957Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:40.429{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61162-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000008000956Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:43.460{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D30CCF11FD089AFAD736622539444E1B,SHA256=03EB1853AB8C32A8CB9C3DAEB4316D2B52FAB38A8111CC1F8C2C253B55215AC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902605Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:43.862{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77F877DD2EF711CDD339B7A475576510,SHA256=78A20006D6DFD80719982E08A41F09420AA980058D1BC9F76ADAB89E1FE28BC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015902604Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:43.597{B81B27B7-ECC3-60DD-B12A-00000000C701}38922248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902603Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:43.456{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-ECC3-60DD-B12A-00000000C701}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902602Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:43.456{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902601Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:43.456{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902600Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:43.456{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902599Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:43.456{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902598Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:43.456{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902597Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:43.456{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902596Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:43.456{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902595Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:43.456{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902594Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:43.456{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902593Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:43.456{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-ECC3-60DD-B12A-00000000C701}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015902592Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:43.456{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-ECC3-60DD-B12A-00000000C701}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015902591Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:43.457{B81B27B7-ECC3-60DD-B12A-00000000C701}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000008000958Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:44.835{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AED19201E9AFC34F2709D2B5E8EC421,SHA256=C592AD6D99805AD251581897FB987AE7715AB4B01120CC1496050F000A759763,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902621Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:44.878{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD1784654AB226DB45432E932EFBE09F,SHA256=8F0314036B9FDC93B01D37B747D97590D8AC1527D3840D96BC1925BC9457FF45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015902620Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:44.128{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-ECC4-60DD-B22A-00000000C701}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902619Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:44.128{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902618Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:44.128{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902617Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:44.128{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902616Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:44.128{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902615Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:44.128{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902614Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:44.128{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902613Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:44.128{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902612Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:44.128{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902611Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:44.128{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902610Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:44.128{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-ECC4-60DD-B22A-00000000C701}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015902609Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:44.128{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-ECC4-60DD-B22A-00000000C701}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015902608Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:44.129{B81B27B7-ECC4-60DD-B22A-00000000C701}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015902607Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:44.019{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C25E557FF170608EEC0C2354E271AB80,SHA256=115B27676776419ACB5B8531F48500810B40A47AD51D684AE2574BE2EBE1A07A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902606Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:44.019{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC099A88D478D1F99D529EAB10890931,SHA256=D7D364E3ADA2D014FAD976181EBA03DA19BB0C551CF4BA7FCF5AD69BB488B0E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902623Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:45.909{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A08F31027DD0E8974E4C57AD8493B9,SHA256=5CEB96F4D7A764B7B2F11CD96B0FF41EDF887762B0B6F58738F33B9572E0FD88,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902622Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:45.159{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C25E557FF170608EEC0C2354E271AB80,SHA256=115B27676776419ACB5B8531F48500810B40A47AD51D684AE2574BE2EBE1A07A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x80000000000000008000959Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:46.194{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B60E323FD9287B8A737A79D4F3F4F4B,SHA256=0A0C02D23DDC756DBA0A6E1A120124344CE836AFA662B7174A0C983B606D569A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902624Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:46.925{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1CB1BFB2AEF18E166659E4D5684771E,SHA256=999C8E9680A8F748A4DCD84F6923EC2287D7E06BC1CA61F6AEBB01DCB1AC61FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902639Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:47.956{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A72CA4B47942B78B5AFCB462F435710,SHA256=FC91FD0BFB49BDACE925EAAF3B9FE82BEFF80697BE2F2B30014C2ECDE6A9F466,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015902638Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:47.503{B81B27B7-ECC7-60DD-B32A-00000000C701}55164732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902637Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:47.362{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-ECC7-60DD-B32A-00000000C701}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902636Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:47.362{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902635Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:47.362{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902634Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:47.362{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902633Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:47.362{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902632Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:47.362{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902631Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:47.362{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902630Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:47.362{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902629Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:47.362{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902628Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:47.362{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902627Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:47.362{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-ECC7-60DD-B32A-00000000C701}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015902626Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:47.362{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-ECC7-60DD-B32A-00000000C701}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015902625Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:47.363{B81B27B7-ECC7-60DD-B32A-00000000C701}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000008000960Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:48.912{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF33B889B72E88F058C4C70E8C86D903,SHA256=3809E160EFA3637F5B7930B418CC9A33EC0A68436A6E494AC489A9605AA3398D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015902671Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:48.721{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-ECC8-60DD-B52A-00000000C701}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902670Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:48.721{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902669Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:48.721{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902668Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:48.721{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902667Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:48.721{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902666Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:48.721{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902665Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:48.721{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902664Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:48.721{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902663Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:48.721{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902662Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:48.721{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902661Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:48.721{B81B27B7-8809-60DC-0500-00000000C701}424996C:\Windows\system32\csrss.exe{B81B27B7-ECC8-60DD-B52A-00000000C701}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015902660Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:48.721{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-ECC8-60DD-B52A-00000000C701}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015902659Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:48.721{B81B27B7-ECC8-60DD-B52A-00000000C701}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000015902658Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:48.658{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1500-00000000C701}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902657Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:48.658{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1500-00000000C701}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902656Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:48.658{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880A-60DC-1500-00000000C701}1180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000015902655Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:46.351{B81B27B7-8815-60DC-6400-00000000C701}2904C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-987.attackrange.local52175-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000015902654Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:48.393{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=859E2FC0BDDAF21D900E422DC0B26152,SHA256=03FFF8EF8D123F594129D0F19340B96413B6B2D52E827D047FD56A3E4A122AF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015902653Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:48.190{B81B27B7-ECC8-60DD-B42A-00000000C701}12364320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902652Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:48.034{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-ECC8-60DD-B42A-00000000C701}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902651Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:48.034{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902650Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:48.034{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902649Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:48.034{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902648Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:48.034{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902647Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:48.034{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902646Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:48.034{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902645Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:48.034{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902644Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:48.034{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902643Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:48.034{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902642Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:48.034{B81B27B7-8809-60DC-0500-00000000C701}424540C:\Windows\system32\csrss.exe{B81B27B7-ECC8-60DD-B42A-00000000C701}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015902641Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:48.034{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-ECC8-60DD-B42A-00000000C701}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015902640Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:48.035{B81B27B7-ECC8-60DD-B42A-00000000C701}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000008000962Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:46.367{3BF36828-DD27-60DD-7100-00000000C801}4428C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-128.attackrange.local61163-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000008000961Microsoft-Windows-Sysmon/Operationalwin-dc-128.attackrange.local-2021-07-01 16:26:49.928{3BF36828-DD2E-60DD-7A00-00000000C801}4728NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A7083D5F1E02F8DBE3F9AB9546253D,SHA256=B695D34B922CDE60E5357F85D30811ABCB06C1797018CD74525D78AE7BC8D4C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015902687Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:49.940{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=664E09141CE5E72BAB2BC9DC6EC8E054,SHA256=35226E5DB6ED520D018F64489269E9E8B812F7BCDBB3C90110A556F3B5EC4AC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015902686Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:49.565{B81B27B7-ECC9-60DD-B62A-00000000C701}3616380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902685Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:49.393{B81B27B7-880C-60DC-2B00-00000000C701}28642884C:\Windows\system32\conhost.exe{B81B27B7-ECC9-60DD-B62A-00000000C701}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902684Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:49.393{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902683Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:49.393{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902682Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:49.393{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902681Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:49.393{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902680Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:49.393{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902679Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:49.393{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902678Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:49.393{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902677Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:49.393{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902676Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:49.393{B81B27B7-880A-60DC-0C00-00000000C701}7363292C:\Windows\system32\svchost.exe{B81B27B7-880B-60DC-1C00-00000000C701}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015902675Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:49.393{B81B27B7-8809-60DC-0500-00000000C701}424440C:\Windows\system32\csrss.exe{B81B27B7-ECC9-60DD-B62A-00000000C701}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000015902674Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:49.393{B81B27B7-880B-60DC-1F00-00000000C701}19604000C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{B81B27B7-ECC9-60DD-B62A-00000000C701}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000015902673Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:49.393{B81B27B7-ECC9-60DD-B62A-00000000C701}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B81B27B7-880A-60DC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{B81B27B7-880B-60DC-1F00-00000000C701}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015902672Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:49.049{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E8E810CD767EC48D8DB8AC04BA6A3C,SHA256=5F4984EC45F823FB67A70CF59985E85E67730EA4C964AE68B610C480A99FDF4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902688Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:50.127{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14FBA51CB982BFCD0D889FD684032C25,SHA256=47FDE184045DAA2A437032997DE9C084B023C81FA760A605E8A6202E18F11D2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902689Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:51.158{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A02A19A7B9D091BDAD3BF527EA8784FE,SHA256=C3F16B8DECC3BB7334DC204404EE3E2CFD1436A8D6B5048AE9269092B7CFAA7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015902690Microsoft-Windows-Sysmon/Operationalwin-host-987.attackrange.local-2021-07-01 16:26:52.174{B81B27B7-881D-60DC-7400-00000000C701}3240NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD23992E7852CC714AD485817DE0FBD,SHA256=04BE79C3798BF351591D75B3B3C17BCC4BB84CA4519496FBD43DA42B9E82AAC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space